Windows Analysis Report mental.dll

Overview

General Information

Sample Name: mental.dll
Analysis ID: 455445
MD5: 244fcb71c16ab8163f25c633dcb91b1c
SHA1: cf0256c44be6b311558358bb00f9ec257ec90236
SHA256: 48589e8612584c5b67c325367e53b63379dbf984a0a0dc905bd29fd3f7fd6c03
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000003.00000003.773640862.0000000000780000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "5/Y58l5cMfSS6UVE2qwUPZ8h4BZIDuitNieuSeExhGIYp38mO1KlDb9BgD8MZDpCVIqOs83i+UuS7wSTYyLzqLIpEfJvw6IqNOxE0Nj1pnQUhkMjOOyeKT26+dcTRw0X3cDnXGQeXK0BURYDVIi9qI6C9idxUYquGCxlZ3M8J0VdrIL6/2Z4IWUGU9Fobm/mPnd9dMNDYBJzN5iMU0/zCaGPmjT/gVPYhstSarstSrBXvVQck6yXEgx0w1ETruWctJSlrx1LRl0Wqr6+4Ts0TQO/lRIcDE4if5nsnojzxswoVvIRdpxV7UOjuZphAusEANjuHiVamP6ZL+7s3D+g4AuY4oLOSzm+52Ja3ImN5vo=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "MEvpZnH81JLxaRqa", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for domain / URL
Source: gtr.antoinfer.com Virustotal: Detection: 7% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_00DE39C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007939C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_007939C5

Compliance:

barindex
Uses 32bit PE files
Source: mental.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: mental.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\135\Dark\841\582_Free\Thin\Segment.pdb source: loaddll32.exe, rundll32.exe, mental.dll

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49741 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49741 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49746 -> 185.228.233.17:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITOS-ASRU ITOS-ASRU
Source: global traffic HTTP traffic detected: GET /02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: gtr.antoinfer.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_00DE39C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007939C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_007939C5

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D471EC7 NtMapViewOfSection, 0_2_6D471EC7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D471B9C GetProcAddress,NtCreateSection,memset, 0_2_6D471B9C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D472485 NtQueryVirtualMemory, 0_2_6D472485
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00DE2D06
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE8005 NtQueryVirtualMemory, 0_2_00DE8005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00792D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_00792D06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00798005 NtQueryVirtualMemory, 3_2_00798005
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D472264 0_2_6D472264
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE2206 0_2_00DE2206
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE7DE0 0_2_00DE7DE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE3109 0_2_00DE3109
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D48DCB0 0_2_6D48DCB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D48C9A5 0_2_6D48C9A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D48387C 0_2_6D48387C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D48B024 0_2_6D48B024
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D47FE5A 0_2_6D47FE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00792206 3_2_00792206
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00793109 3_2_00793109
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00797DE0 3_2_00797DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D48DCB0 3_2_6D48DCB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D48C9A5 3_2_6D48C9A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D48387C 3_2_6D48387C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D48B024 3_2_6D48B024
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D47FE5A 3_2_6D47FE5A
Uses 32bit PE files
Source: mental.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal88.troj.winDLL@16/8@2/2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00DE513E
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9D47ABEC-EF99-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF6E67667E2D178577.TMP Jump to behavior
Source: mental.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Behind
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\mental.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Behind
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Behind Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: mental.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: mental.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\135\Dark\841\582_Free\Thin\Segment.pdb source: loaddll32.exe, rundll32.exe, mental.dll

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D471F7C LoadLibraryA,GetProcAddress, 0_2_6D471F7C
PE file contains an invalid checksum
Source: mental.dll Static PE information: real checksum: 0x62305 should be: 0x670d4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D472253 push ecx; ret 0_2_6D472263
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D472200 push ecx; ret 0_2_6D472209
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE7A60 push ecx; ret 0_2_00DE7A69
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE7DCF push ecx; ret 0_2_00DE7DDF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D48FC77 push ecx; ret 0_2_6D48FC78
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D490CBF push ss; ret 0_2_6D490CE4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D47F7C5 push ecx; ret 0_2_6D47F7D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D493AAC push ecx; retf 0_2_6D493AB1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4CBA1A push A00002CFh; iretd 0_2_6D4CBA21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00797A60 push ecx; ret 3_2_00797A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00797DCF push ecx; ret 3_2_00797DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4941C6 pushad ; iretd 3_2_6D4941CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D48FC77 push ecx; ret 3_2_6D48FC78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D490CBF push ss; ret 3_2_6D490CE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D493F7D pushad ; ret 3_2_6D493FC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D47F7C5 push ecx; ret 3_2_6D47F7D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D493AAC push ecx; retf 3_2_6D493AB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4CBA1A push A00002CFh; iretd 3_2_6D4CBA21

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D47E4C3 IsDebuggerPresent, 0_2_6D47E4C3
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4868A8 LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6D4868A8
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D471F7C LoadLibraryA,GetProcAddress, 0_2_6D471F7C
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4CA7ED mov eax, dword ptr fs:[00000030h] 0_2_6D4CA7ED
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4CA71C mov eax, dword ptr fs:[00000030h] 0_2_6D4CA71C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4CA323 push dword ptr fs:[00000030h] 0_2_6D4CA323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4CA7ED mov eax, dword ptr fs:[00000030h] 3_2_6D4CA7ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4CA71C mov eax, dword ptr fs:[00000030h] 3_2_6D4CA71C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4CA323 push dword ptr fs:[00000030h] 3_2_6D4CA323
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D47EA62 GetProcessHeap, 0_2_6D47EA62

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE4454 cpuid 0_2_00DE4454
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6D471E8A
Source: C:\Windows\System32\loaddll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6D489540
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,__invoke_watson, 0_2_6D47F974
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6D489121
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_6D4895ED
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6D48919E
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_6D487594
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6D47E05B
Source: C:\Windows\System32\loaddll32.exe Code function: __crtGetLocaleInfoA_stat, 0_2_6D48806A
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6D47E01E
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6D489416
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6D4890E1
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 0_2_6D486F92
Source: C:\Windows\System32\loaddll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_6D488E6D
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6D489221
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6D489540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,__invoke_watson, 3_2_6D47F974
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6D489121
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 3_2_6D4895ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6D48919E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_6D487594
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6D47E05B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __crtGetLocaleInfoA_stat, 3_2_6D48806A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D47E01E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6D489416
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D4890E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 3_2_6D486F92
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 3_2_6D488E6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6D489221
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D471144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6D471144
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00DE4454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_00DE4454
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D471F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6D471F10
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455445 Sample: mental.dll Startdate: 28/07/2021 Architecture: WINDOWS Score: 88 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 2 other signatures 2->38 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 53 2->10         started        process3 signatures4 40 Writes or reads registry keys via WMI 7->40 42 Writes registry values via WMI 7->42 12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        19 rundll32.exe 7->19         started        21 iexplore.exe 26 10->21         started        24 iexplore.exe 26 10->24         started        process5 dnsIp6 44 Writes registry values via WMI 12->44 26 rundll32.exe 15->26         started        28 gtr.antoinfer.com 185.228.233.17, 49740, 49741, 49745 ITOS-ASRU Russian Federation 21->28 30 192.168.2.1 unknown unknown 21->30 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.228.233.17
 gtr.antoinfer.com Russian Federation
64439 ITOS-ASRU true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
gtr.antoinfer.com 185.228.233.17 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z true
  • Avira URL Cloud: malware
 unknown
http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M true
  • Avira URL Cloud: malware
 unknown