Windows Analysis Report 1c8.dll

Overview

General Information

Sample Name: 1c8.dll
Analysis ID: 448651
MD5: 1c87b3ebc5ddf8f53e585b3cf8f74f47
SHA1: 4579705a3e0e8b644fcf30d4c79456b0e4f669b8
SHA256: f2dfc3562e150ca045557559269c3c21531bb85292864109fd2ceca4fe0f1ea9
Tags: dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000003.766216360.00000000010C0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: 1c8.dll Metadefender: Detection: 22% Perma Link
Source: 1c8.dll ReversingLabs: Detection: 60%

Compliance:

barindex
Uses 32bit PE files
Source: 1c8.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 1c8.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.920236216.000000006D414000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.922133756.000000006D414000.00000002.00020000.sdmp, 1c8.dll

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49741 -> 40.97.128.194:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 40.97.128.194 40.97.128.194
Source: Joe Sandbox View IP Address: 52.97.232.194 52.97.232.194
Source: global traffic HTTP traffic detected: GET /grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/tYMT5RnKSeCB9jBg/3iH6euhlA_2FGYG/rhrfnjjJUD3Y1TDXr8/g3m2c4nF8/bM6OTpEkWKHOq9wInEON/2HRIvyEq85fMK7VnDSk/ESY1C1z2RWNeT9llxDcxvu/GKJMCp_2FJD6L/hm1dCsQj.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: outlook.com
Source: ~DF547E5E23E7DFF857.TMP.12.dr, {0A0F511C-E4AA-11EB-90EB-ECF4BBEA1588}.dat.12.dr String found in binary or memory: https://outlook.office365.com/grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/t
Source: ~DF4099CF7A12250C28.TMP.12.dr, {0A0F511E-E4AA-11EB-90EB-ECF4BBEA1588}.dat.12.dr String found in binary or memory: https://outlook.office365.com/grower/iSa3U_2FCrZy/TdWTQggM2F_/2F4Qd7iLvOzuNw/Q11HFiIe_2BP9wOCf9bSc/9
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D1996 GetProcAddress,NtCreateSection,memset, 0_2_6D3D1996
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D1A44 NtMapViewOfSection, 0_2_6D3D1A44
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D23A5 NtQueryVirtualMemory, 0_2_6D3D23A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01175A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_01175A27
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0117B1A5 NtQueryVirtualMemory, 0_2_0117B1A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008A5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_008A5A27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008AB1A5 NtQueryVirtualMemory, 3_2_008AB1A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04C25A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_04C25A27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04C2B1A5 NtQueryVirtualMemory, 6_2_04C2B1A5
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D2184 0_2_6D3D2184
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0117AF80 0_2_0117AF80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0117888E 0_2_0117888E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01173EE1 0_2_01173EE1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3F17B0 0_2_6D3F17B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4005E5 0_2_6D4005E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D400DB8 0_2_6D400DB8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D40BE61 0_2_6D40BE61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D404E00 0_2_6D404E00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4109C8 0_2_6D4109C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4088B7 0_2_6D4088B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008A888E 3_2_008A888E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008A3EE1 3_2_008A3EE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008AAF80 3_2_008AAF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D3F17B0 3_2_6D3F17B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4005E5 3_2_6D4005E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D400DB8 3_2_6D400DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D40BE61 3_2_6D40BE61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D404E00 3_2_6D404E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4109C8 3_2_6D4109C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4088B7 3_2_6D4088B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04C23EE1 6_2_04C23EE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04C2888E 6_2_04C2888E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04C2AF80 6_2_04C2AF80
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6D403290 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D403290 appears 39 times
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: sxs.dll Jump to behavior
Uses 32bit PE files
Source: 1c8.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal80.troj.winDLL@18/7@6/4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0117A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_0117A65C
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A0F511A-E4AA-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF34CE60BF8360E948.TMP Jump to behavior
Source: 1c8.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition
Source: 1c8.dll Metadefender: Detection: 22%
Source: 1c8.dll ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\1c8.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Dogwhen
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Sing
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Wholegray
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17414 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Dogwhen Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Sing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Wholegray Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17414 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 1c8.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1c8.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1c8.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1c8.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1c8.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1c8.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 1c8.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 1c8.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.920236216.000000006D414000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.922133756.000000006D414000.00000002.00020000.sdmp, 1c8.dll
Source: 1c8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1c8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1c8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1c8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1c8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D1BAC LoadLibraryA,GetProcAddress, 0_2_6D3D1BAC
PE file contains an invalid checksum
Source: 1c8.dll Static PE information: real checksum: 0x6292a should be: 0x64320
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D2120 push ecx; ret 0_2_6D3D2129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D2173 push ecx; ret 0_2_6D3D2183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0117AF6F push ecx; ret 0_2_0117AF7F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0117ABC0 push ecx; ret 0_2_0117ABC9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3FDE07 push ecx; ret 0_2_6D3FDE1A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3E103D push cs; ret 0_2_6D3E103E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4032D5 push ecx; ret 0_2_6D4032E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3E2AD8 push edx; retf 0_2_6D3E2AD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008AD23C push eax; retf 3_2_008AD251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008AD1B0 push eax; retf 3_2_008AD251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008AABC0 push ecx; ret 3_2_008AABC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008AD14D push eax; retf 3_2_008AD251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_008AAF6F push ecx; ret 3_2_008AAF7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D3FDE07 push ecx; ret 3_2_6D3FDE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D3E103D push cs; ret 3_2_6D3E103E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4032D5 push ecx; ret 3_2_6D4032E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04C2ABC0 push ecx; ret 6_2_04C2ABC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04C2AF6F push ecx; ret 6_2_04C2AF7F

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D40AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6D40AFAC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D40AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6D40AFAC
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D1BAC LoadLibraryA,GetProcAddress, 0_2_6D3D1BAC
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D42E2D8 mov eax, dword ptr fs:[00000030h] 0_2_6D42E2D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D42E207 mov eax, dword ptr fs:[00000030h] 0_2_6D42E207
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D42DE0E push dword ptr fs:[00000030h] 0_2_6D42DE0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D42E2D8 mov eax, dword ptr fs:[00000030h] 3_2_6D42E2D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D42E207 mov eax, dword ptr fs:[00000030h] 3_2_6D42E207
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D42DE0E push dword ptr fs:[00000030h] 3_2_6D42DE0E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D403484 GetProcessHeap, 0_2_6D403484
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3FFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D3FFEBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D3FFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D3FFEBA

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01179135 cpuid 0_2_01179135
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_6D40EC14
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_6D402C5A
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6D40EF45
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6D40EFC8
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6D40EEC8
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6D40EE88
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_6D40D10F
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6D4029A0
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6D40F1BD
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 0_2_6D3FE036
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6D40AB64
Source: C:\Windows\System32\loaddll32.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 0_2_6D40CB0D
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_6D40F394
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6D402A26
Source: C:\Windows\System32\loaddll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6D40F2E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 3_2_6D402C5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 3_2_6D40EC14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_6D40D10F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6D40EF45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6D40EFC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6D40EEC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D40EE88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D4029A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6D40F1BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 3_2_6D3FE036
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_6D40AB64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 3_2_6D40CB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 3_2_6D40F394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6D402A26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6D40F2E7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6D3D1ADA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01179135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_01179135
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D3D1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6D3D1F0E

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448651 Sample: 1c8.dll Startdate: 14/07/2021 Architecture: WINDOWS Score: 80 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected  Ursnif 2->46 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 54 2->10         started        process3 signatures4 48 Writes or reads registry keys via WMI 7->48 50 Writes registry values via WMI 7->50 12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        24 2 other processes 7->24 19 iexplore.exe 24 10->19         started        22 iexplore.exe 26 10->22         started        process5 dnsIp6 52 Writes registry values via WMI 12->52 26 rundll32.exe 15->26         started        28 outlook.com 40.97.128.194, 443, 49741, 49742 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->28 30 ZRH-efz.ms-acdc.office.com 52.97.232.194, 443, 49744, 49745 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->30 36 5 other IPs or domains 19->36 32 52.97.201.226, 443, 49750, 49751 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 34 www.outlook.com 22->34 38 3 other IPs or domains 22->38 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
40.97.128.194
 outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.97.232.194
 ZRH-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.97.232.210
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.97.201.226
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
outlook.com 40.97.128.194 true
ZRH-efz.ms-acdc.office.com 52.97.232.194 true
www.outlook.com unknown unknown
outlook.office365.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://outlook.com/grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/tYMT5RnKSeCB9jBg/3iH6euhlA_2FGYG/rhrfnjjJUD3Y1TDXr8/g3m2c4nF8/bM6OTpEkWKHOq9wInEON/2HRIvyEq85fMK7VnDSk/ESY1C1z2RWNeT9llxDcxvu/GKJMCp_2FJD6L/hm1dCsQj.grow false
    		high