Loading ...

Play interactive tourEdit tour

Windows Analysis Report vqirYMB1c4

Overview

General Information

Sample Name:vqirYMB1c4 (renamed file extension from none to dll)
Analysis ID:448076
MD5:492076d2d0e123d67a38e65ad5aaee6a
SHA1:e9abf822ac6c9ebe34ed7c724122a53703d1d6a4
SHA256:d1a1d73e134edf8accffaa2779fa637b448b762a9bad81c3093fda115ed189e1
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 776 cmdline: loaddll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5700 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5808 cmdline: rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • cmd.exe (PID: 5828 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5484 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5696 cmdline: rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Connectdark MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 844 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3228 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 1576 cmdline: rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Mindlake MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 5064 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3556 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5672 cmdline: rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Porthigh MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 5688 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4956 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5040 cmdline: rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Problemscale MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 5036 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4996 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5468 cmdline: rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,WingGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 5800 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6068 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5536 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4860 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
vqirYMB1c4.dllJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
      00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
        00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
          0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.loaddll32.exe.6dd90000.0.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                26.2.rundll32.exe.6dd90000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  21.2.rundll32.exe.6dd90000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                    3.2.rundll32.exe.6dd90000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                      13.2.rundll32.exe.6dd90000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                        Click to see the 2 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: vqirYMB1c4.dllAvira: detected
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: vqirYMB1c4.dllVirustotal: Detection: 57%Perma Link
                        Source: vqirYMB1c4.dllMetadefender: Detection: 62%Perma Link
                        Source: vqirYMB1c4.dllReversingLabs: Detection: 67%
                        Source: vqirYMB1c4.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: vqirYMB1c4.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.617874720.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.566464815.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.623674037.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.591039098.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.623704883.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.623698742.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.610136610.000000006DE1A000.00000002.00020000.sdmp, vqirYMB1c4.dll

                        Key, Mouse, Clipboard, Microphone and Screen Capturing:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: vqirYMB1c4.dll, type: SAMPLE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: loaddll32.exe, 00000000.00000002.578492820.00000000006BB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        E-Banking Fraud:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: vqirYMB1c4.dll, type: SAMPLE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDF84BB0_2_6DDF84BB
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDD1C3C0_2_6DDD1C3C
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE067D90_2_6DE067D9
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDD3E000_2_6DDD3E00
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDE51500_2_6DDE5150
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDEE0790_2_6DDEE079
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE003960_2_6DE00396
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE102BC0_2_6DE102BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDF84BB2_2_6DDF84BB
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDD1C3C2_2_6DDD1C3C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DE067D92_2_6DE067D9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDD3E002_2_6DDD3E00
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDE51502_2_6DDE5150
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDEE0792_2_6DDEE079
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DE003962_2_6DE00396
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DE102BC2_2_6DE102BC
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6DDD00AC appears 99 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DDD00AC appears 99 times
                        Source: vqirYMB1c4.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: classification engineClassification label: mal64.troj.winDLL@55/0@0/0
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1752:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2540:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:468:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:456:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_01
                        Source: vqirYMB1c4.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Connectdark
                        Source: vqirYMB1c4.dllVirustotal: Detection: 57%
                        Source: vqirYMB1c4.dllMetadefender: Detection: 62%
                        Source: vqirYMB1c4.dllReversingLabs: Detection: 67%
                        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll'
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Connectdark
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Mindlake
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Porthigh
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Problemscale
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,WingGrass
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,ConnectdarkJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,MindlakeJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,PorthighJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,ProblemscaleJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,WingGrassJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: vqirYMB1c4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: vqirYMB1c4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: vqirYMB1c4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: vqirYMB1c4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: vqirYMB1c4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: vqirYMB1c4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: vqirYMB1c4.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: vqirYMB1c4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.617874720.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.566464815.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.623674037.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.591039098.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.623704883.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.623698742.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.610136610.000000006DE1A000.00000002.00020000.sdmp, vqirYMB1c4.dll
                        Source: vqirYMB1c4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: vqirYMB1c4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: vqirYMB1c4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: vqirYMB1c4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: vqirYMB1c4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: vqirYMB1c4.dllStatic PE information: real checksum: 0xf3990 should be: 0xee3d3
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDD09D6 push ecx; ret 0_2_6DDD09E9
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDD0075 push ecx; ret 0_2_6DDD0088
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDD09D6 push ecx; ret 2_2_6DDD09E9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDD0075 push ecx; ret 2_2_6DDD0088

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: vqirYMB1c4.dll, type: SAMPLE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeAPI coverage: 9.4 %
                        Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.8 %
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDD07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6DDD07A7
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDF966F mov eax, dword ptr fs:[00000030h]0_2_6DDF966F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDF966F mov eax, dword ptr fs:[00000030h]2_2_6DDF966F
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDD07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6DDD07A7
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDF1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6DDF1F6D
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDD0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6DDD0288
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDD07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6DDD07A7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDF1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6DDF1F6D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DDD0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6DDD0288
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                        Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmpBinary or memory string: Progman
                        Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                        Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                        Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDD0604 cpuid 0_2_6DDD0604
                        Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_6DE0DD96
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6DE0E518
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6DE0DF65
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6DE0E6EC
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6DE0E61F
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6DDCF1B7
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_6DE0E19F
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6DE03952
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6DE0E112
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6DE0E077
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6DE0E00E
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6DE0E3EF
                        Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoEx,0_2_6DDCF364
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6DE04323
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_6DE0DD96
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_6DE0E518
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6DE0DF65
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_6DE0E6EC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6DE0E61F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6DDCF1B7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_6DE0E19F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6DE03952
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6DE0E112
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6DE0E077
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6DE0E00E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6DE0E3EF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,2_2_6DDCF364
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6DE04323
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDD09F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6DDD09F0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE0877C _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_6DE0877C

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: vqirYMB1c4.dll, type: SAMPLE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY

                        Remote Access Functionality:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: vqirYMB1c4.dll, type: SAMPLE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD916BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_6DD916BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD916BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,2_2_6DD916BC

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Rundll321Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery22Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 448076 Sample: vqirYMB1c4 Startdate: 13/07/2021 Architecture: WINDOWS Score: 64 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected  Ursnif 2->63 9 loaddll32.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 5 other processes 9->17 process5 19 rundll32.exe 11->19         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 cmd.exe 1 15->25         started        27 cmd.exe 1 15->27         started        29 cmd.exe 1 17->29         started        31 cmd.exe