Windows Analysis Report ELQSEuKior

Overview

General Information

Sample Name: ELQSEuKior (renamed file extension from none to dll)
Analysis ID: 449061
MD5: 2f1e2c8b741594e48eea9cf01e24cdba
SHA1: d6a59cfcfd712ad2b7124a9f812d5c6ed328ab84
SHA256: ff12254275bb4cae4f1225535408dd466bf0a4d41727abca9576dbb427f44014
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Parent Process Executions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: ELQSEuKior.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: ELQSEuKior.dll Virustotal: Detection: 67% Perma Link
Source: ELQSEuKior.dll Metadefender: Detection: 57% Perma Link
Source: ELQSEuKior.dll ReversingLabs: Detection: 89%

Compliance:

barindex
Uses 32bit PE files
Source: ELQSEuKior.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: ELQSEuKior.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.490375280.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.507696729.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.483332321.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.486289723.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.503913812.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.512153585.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.503906509.000000006E26A000.00000002.00020000.sdmp, ELQSEuKior.dll

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: ELQSEuKior.dll, type: SAMPLE
Source: Yara match File source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.490259189.00000000010BB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: ELQSEuKior.dll, type: SAMPLE
Source: Yara match File source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E223E00 0_2_6E223E00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E221C3C 0_2_6E221C3C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2567D9 0_2_6E2567D9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2484BB 0_2_6E2484BB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2602BC 0_2_6E2602BC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E250396 0_2_6E250396
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E23E079 0_2_6E23E079
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E235150 0_2_6E235150
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2261B2 0_2_6E2261B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E223E00 2_2_6E223E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E221C3C 2_2_6E221C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2567D9 2_2_6E2567D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2484BB 2_2_6E2484BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2602BC 2_2_6E2602BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E250396 2_2_6E250396
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E23E079 2_2_6E23E079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E235150 2_2_6E235150
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E223E00 3_2_6E223E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E221C3C 3_2_6E221C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2567D9 3_2_6E2567D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2484BB 3_2_6E2484BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2602BC 3_2_6E2602BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E250396 3_2_6E250396
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E23E079 3_2_6E23E079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E235150 3_2_6E235150
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E220990 appears 35 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E2200AC appears 101 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E220990 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E2423A9 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E2200AC appears 200 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E2200E0 appears 58 times
Uses 32bit PE files
Source: ELQSEuKior.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal64.troj.winDLL@53/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2100:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_01
Source: ELQSEuKior.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Connectdark
Source: ELQSEuKior.dll Virustotal: Detection: 67%
Source: ELQSEuKior.dll Metadefender: Detection: 57%
Source: ELQSEuKior.dll ReversingLabs: Detection: 89%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Connectdark
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Mindlake
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Porthigh
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Problemscale
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,WingGrass
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Connectdark Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Mindlake Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Porthigh Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,WingGrass Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: ELQSEuKior.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ELQSEuKior.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ELQSEuKior.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ELQSEuKior.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ELQSEuKior.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ELQSEuKior.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ELQSEuKior.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: ELQSEuKior.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.490375280.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.507696729.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.483332321.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.486289723.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.503913812.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.512153585.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.503906509.000000006E26A000.00000002.00020000.sdmp, ELQSEuKior.dll
Source: ELQSEuKior.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ELQSEuKior.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ELQSEuKior.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ELQSEuKior.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ELQSEuKior.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: ELQSEuKior.dll Static PE information: real checksum: 0xf3990 should be: 0xeef60
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2209D6 push ecx; ret 0_2_6E2209E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E220075 push ecx; ret 0_2_6E220088
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2209D6 push ecx; ret 2_2_6E2209E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E220075 push ecx; ret 2_2_6E220088
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2209D6 push ecx; ret 3_2_6E2209E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E220075 push ecx; ret 3_2_6E220088

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: ELQSEuKior.dll, type: SAMPLE
Source: Yara match File source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 5.0 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.9 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E241F6D
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E24966F mov eax, dword ptr fs:[00000030h] 0_2_6E24966F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E24966F mov eax, dword ptr fs:[00000030h] 2_2_6E24966F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E24966F mov eax, dword ptr fs:[00000030h] 3_2_6E24966F
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E241F6D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E2207A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E220288
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E241F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E2207A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E220288
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E241F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E2207A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E220288

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: loaddll32.exe, 00000000.00000002.490278339.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.490903193.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.483251491.00000000039E0000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.474301611.0000000003510000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503824249.0000000003480000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.499291261.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.469760554.0000000002FD0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.490278339.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.490903193.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.483251491.00000000039E0000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.474301611.0000000003510000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503824249.0000000003480000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.499291261.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.469760554.0000000002FD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.490278339.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.490903193.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.483251491.00000000039E0000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.474301611.0000000003510000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503824249.0000000003480000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.499291261.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.469760554.0000000002FD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.490278339.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.490903193.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.483251491.00000000039E0000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.474301611.0000000003510000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503824249.0000000003480000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.499291261.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.469760554.0000000002FD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E220604 cpuid 0_2_6E220604
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E25DF65
Source: C:\Windows\System32\loaddll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6E25DD96
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E253952
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E25E61F
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E25E6EC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E25E518
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E254323
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoEx, 0_2_6E21F364
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E25E3EF
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E25E00E
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E25E077
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E25E112
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E21F1B7
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E25E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E25DF65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6E25DD96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E253952
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E25E61F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E25E6EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6E25E518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E254323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 2_2_6E21F364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E25E3EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E25E00E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E25E077
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E25E112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E21F1B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E25E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E25DF65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_6E25DD96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E253952
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E25E61F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E25E6EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E25E518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E254323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 3_2_6E21F364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E25E3EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E25E00E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E25E077
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E25E112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E21F1B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E25E19F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E209A14 GetSystemTimeAsFileTime, 0_2_6E209A14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E258951 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_6E258951

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: ELQSEuKior.dll, type: SAMPLE
Source: Yara match File source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: ELQSEuKior.dll, type: SAMPLE
Source: Yara match File source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_6E1E16BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 2_2_6E1E16BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 3_2_6E1E16BC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449061 Sample: ELQSEuKior Startdate: 15/07/2021 Architecture: WINDOWS Score: 64 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected  Ursnif 2->74 10 loaddll32.exe 1 2->10         started        process3 process4 12 cmd.exe 1 10->12         started        14 rundll32.exe 10->14         started        16 rundll32.exe 10->16         started        18 5 other processes 10->18 process5 20 rundll32.exe 12->20         started        22 cmd.exe 1 14->22         started        24 cmd.exe 1 14->24         started        26 cmd.exe 1 16->26         started        28 cmd.exe 1 16->28         started        30 cmd.exe 1 18->30         started        32 cmd.exe 1 18->32         started        34 cmd.exe 1 18->34         started        36 cmd.exe 1 18->36         started        process6 38 cmd.exe 1 20->38         started        40 cmd.exe 1 20->40         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        52 conhost.exe 32->52         started        54 conhost.exe 34->54         started        process7 56 conhost.exe 38->56         started        58 conhost.exe 40->58         started        60 cmd.exe 1 42->60         started        62 cmd.exe 1 42->62         started        64 conhost.exe 46->64         started        process8 66 conhost.exe 56->66         started        68 conhost.exe 58->68         started       
No contacted IP infos