Windows Analysis Report 50.dll

Overview

General Information

Sample Name: 50.dll
Analysis ID: 498828
MD5: 03a4adf216161aceabaf8b9cbde58308
SHA1: 5b37a2bdc58279f1f1e31038fff1f859eec76cf6
SHA256: e0e9821e1c172ee90b6ea27d96a0e9053269fb48bcbe7ec4fb42e048da9f4e8a
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000003.438939815.0000000003060000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "spMgSJlMsbtyYJa7J98r3sDVnAauyYqUMJmfcOwftrNnR0Q/C00j0nLxLEQJJp6q/6NEKbKUj0/JgWKRbzzHEB4F6RQgzHtMFW3wSImU2nYZ9tLVzVwdEUFZI5FukXQ3NiY2htJmxqUn2twjM931KOxXZ4RzDvIB/4hTvpsWTDF+n4G7YGtk1nZlke9r+CWY", "c2_domain": ["golang.feel500.at/api1", "api10.laptok.at/api1"], "botnet": "2200", "server": "730", "serpent_key": "wyzQ2rMFkB7aXutb", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: 50.dll Virustotal: Detection: 60% Perma Link
Source: 50.dll Metadefender: Detection: 27% Perma Link
Source: 50.dll ReversingLabs: Detection: 71%
Antivirus / Scanner detection for submitted sample
Source: 50.dll Avira: detected
Multi AV Scanner detection for domain / URL
Source: api10.laptok.at Virustotal: Detection: 14% Perma Link
Source: golang.feel500.at Virustotal: Detection: 11% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: 50.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 50.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\colorEarth\energySend\RiseRide\SisterFlower\waveBear\Product.pdb source: loaddll32.exe, 00000000.00000002.805046595.000000006E9F5000.00000002.00020000.sdmp, 50.dll
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0259A282 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 3_2_0259A282

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49793 -> 87.106.18.141:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49793 -> 87.106.18.141:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49795 -> 87.106.18.141:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.106.18.141 87.106.18.141
Source: msapplication.xml0.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0ec88392,0x01d7bbc9</date><accdate>0x0ec88392,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0ec88392,0x01d7bbc9</date><accdate>0x0ec88392,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0ed20c0d,0x01d7bbc9</date><accdate>0x0ed20c0d,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0ed20c0d,0x01d7bbc9</date><accdate>0x0ed20c0d,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0ed932f5,0x01d7bbc9</date><accdate>0x0ed932f5,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0ed932f5,0x01d7bbc9</date><accdate>0x0ed932f5,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: loaddll32.exe, 00000000.00000002.803654054.0000000001BB0000.00000002.00020000.sdmp String found in binary or memory: http://api10.laptok.at/api1/9RmUtQcDZhfIk1c/nHzONe5_2BBvJ2yBiQ/7EpiCVM7W/f4E0uY3D227v2RDuExxP/z
Source: {654BE4AB-27BC-11EC-90E9-ECF4BB862DED}.dat.36.dr String found in binary or memory: http://api10.laptok.at/api1/9RmUtQcDZhfIk1c/nHzONe5_2BBvJ2yBiQ/7EpiCVM7W/f4E0uY3D227v2RDuExxP/zjYG_2
Source: loaddll32.exe, 00000000.00000002.803654054.0000000001BB0000.00000002.00020000.sdmp String found in binary or memory: http://api10.laptok.at/api1/Jq38ICaRqPy/g8cT5EDuzQRTfd/bDaQidhBmNREYWZABcNxO/6xll5SLapn_2FusJ/i
Source: {60EB5440-27BC-11EC-90E9-ECF4BB862DED}.dat.34.dr String found in binary or memory: http://api10.laptok.at/api1/Jq38ICaRqPy/g8cT5EDuzQRTfd/bDaQidhBmNREYWZABcNxO/6xll5SLapn_2FusJ/iHdi_2
Source: {391FBB83-27BC-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DF724E8AB2918CB9FB.TMP.15.dr String found in binary or memory: http://golang.feel500.at/api1/NRk_2FVJ/wA96x_2FCs_2BXPQBfDRJnC/8ZaJOikUxp/tNUL_2F9bDwQb7Nw0/4hAwTXCC
Source: {531DF9CC-27BC-11EC-90E9-ECF4BB862DED}.dat.27.dr, ~DF614A578B8A0039D2.TMP.27.dr String found in binary or memory: http://golang.feel500.at/api1/QKqJb_2FIetnA30Lrh/D_2BUq5Xp/A5g0RhnO33fAZ8QR_2BE/MeaF1_2BnZPZU9RqKt3/
Source: ~DF9E71909E92B794F9.TMP.32.dr, {57B5605E-27BC-11EC-90E9-ECF4BB862DED}.dat.32.dr String found in binary or memory: http://golang.feel500.at/api1/YLF22kb3qppYj0qV_2FrBA/gmsmY04uRW1XV/l2QyGLGA/GtEQ6XjZAWGXWxCNpGcTaDx/
Source: msapplication.xml.15.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.15.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.15.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.15.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.15.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.15.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.15.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.15.dr String found in binary or memory: http://www.youtube.com/
Source: unknown DNS traffic detected: queries for: golang.feel500.at
Source: global traffic HTTP traffic detected: GET /api1/Jq38ICaRqPy/g8cT5EDuzQRTfd/bDaQidhBmNREYWZABcNxO/6xll5SLapn_2FusJ/iHdi_2FbiOmTGGb/BXo7JAZFG1eu_2FtyI/cNFtxMNBR/zYGeZfeXbEOB1SyQFsvB/rB0Q_2FZQZ0YZi_2FRO/tidnHoD06Cgh_2FRad0Stl/qK8jV1z_2FTo2/PBtT0ki_/2BubNruXDtYtZ2wLQ_2BEya/1EtRRJfeUI/5CMi0T2vwqXTEyNz1/lyOJ_2BtNXg9/d_2B7LGgvGV/55GaKjfY_2FDfj/svm_0A_0DtNmhHj6ls2X4/2lW3OzRcv2PkceFw/VNJ6ep7w_2FRmj_2FWh4Js/N HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/9RmUtQcDZhfIk1c/nHzONe5_2BBvJ2yBiQ/7EpiCVM7W/f4E0uY3D227v2RDuExxP/zjYG_2FjR1JK0Cdmuq7/JUrUMl2hsVJQOhQQrJjdjI/lE7jBPvrlvBD9/Eqgu2Y0S/_2FHxIBiKM99DvrRblH0nvV/kCN2W88lpy/lXYy2rxZX1fnU6LEk/1F2dsOnkIM4n/gevEdeTc_2F/PmNNaIgvx9qczG/o0sHDdRiEaK9_2F3dDlYN/KN8GHFQNDyxdo2UR/PPq4SUNELaWLIO_/0A_0DzqmFbCxXnCfo4/INkWBFYtG/ncFEw74zm9E4h83K_2FU/jx5qA20TXkJiA0KWOxZ/VG0Riowa/X HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.479416380.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479376627.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804482994.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495439556.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496320513.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479510909.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479453127.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496294032.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496277018.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495483618.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496244695.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479614184.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479576032.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496057082.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479548431.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479596189.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622172269.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496215226.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.30b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.621232674.00000000044C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478390389.0000000004EB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804033989.0000000003359000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.492977892.00000000044B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.503835282.00000000051B9000.00000004.00000040.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.802215497.00000000015CB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.479416380.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479376627.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804482994.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495439556.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496320513.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479510909.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479453127.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496294032.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496277018.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495483618.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496244695.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479614184.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479576032.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496057082.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479548431.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479596189.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622172269.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496215226.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.30b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.621232674.00000000044C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478390389.0000000004EB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804033989.0000000003359000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.492977892.00000000044B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.503835282.00000000051B9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: 50.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B22A4 0_2_6E9B22A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9DCF87 0_2_6E9DCF87
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E4DF9 0_2_6E9E4DF9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F1D79 0_2_6E9F1D79
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F3AC2 0_2_6E9F3AC2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9EABE9 0_2_6E9EABE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E2308 0_2_6E9E2308
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0259AEE4 3_2_0259AEE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02595494 3_2_02595494
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E9E4810 appears 41 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B1880 NtMapViewOfSection, 0_2_6E9B1880
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B15AB GetLastError,NtClose, 0_2_6E9B15AB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B1CEF GetProcAddress,NtCreateSection,memset, 0_2_6E9B1CEF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B24C5 NtQueryVirtualMemory, 0_2_6E9B24C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0259963C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_0259963C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0259B105 NtQueryVirtualMemory, 3_2_0259B105
Sample file is different than original file name gathered from version info
Source: 50.dll Binary or memory string: OriginalFilenameProduct.dllF vs 50.dll
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: mspdb140.dll Jump to behavior
Source: 50.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 50.dll Virustotal: Detection: 60%
Source: 50.dll Metadefender: Detection: 27%
Source: 50.dll ReversingLabs: Detection: 71%
Source: 50.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\50.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\50.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllRegisterServer@0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\50.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllUnregisterServer@0
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@Properwhat@8
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7056 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6992 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3892 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5580 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6888 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\50.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllRegisterServer@0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllUnregisterServer@0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@Properwhat@8 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\50.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7056 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6992 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3892 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5580 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6888 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFB26ED506A2ACFD75.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.winDLL@26/49@11/1
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0259846C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_0259846C
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllRegisterServer@0
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 50.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 50.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 50.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 50.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 50.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 50.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 50.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 50.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\colorEarth\energySend\RiseRide\SisterFlower\waveBear\Product.pdb source: loaddll32.exe, 00000000.00000002.805046595.000000006E9F5000.00000002.00020000.sdmp, 50.dll
Source: 50.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 50.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 50.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 50.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 50.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B2293 push ecx; ret 0_2_6E9B22A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B2240 push ecx; ret 0_2_6E9B2249
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C444B push ebp; iretd 0_2_6E9C4450
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C1582 push edx; retf 0_2_6E9C15C6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C2213 push esp; ret 0_2_6E9C221B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C3B79 push esp; iretd 0_2_6E9C3BAC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E4855 push ecx; ret 0_2_6E9E4868
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E015B push ecx; ret 0_2_6E9E016E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0259AED3 push ecx; ret 3_2_0259AEE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0259ABA0 push ecx; ret 3_2_0259ABA9
Source: initial sample Static PE information: section name: .text entropy: 6.87960232272

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.479416380.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479376627.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804482994.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495439556.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496320513.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479510909.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479453127.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496294032.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496277018.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495483618.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496244695.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479614184.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479576032.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496057082.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479548431.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479596189.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622172269.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496215226.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.30b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.621232674.00000000044C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478390389.0000000004EB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804033989.0000000003359000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.492977892.00000000044B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.503835282.00000000051B9000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0259A282 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 3_2_0259A282

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9EEF7F ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6E9EEF7F
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9EEF7F ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6E9EEF7F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E4869 GetProcessHeap, 0_2_6E9E4869
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA06428 mov eax, dword ptr fs:[00000030h] 0_2_6EA06428
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA05F65 push dword ptr fs:[00000030h] 0_2_6EA05F65
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0635E mov eax, dword ptr fs:[00000030h] 0_2_6EA0635E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E1F4D SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E9E1F4D

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\50.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.803654054.0000000001BB0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.803654054.0000000001BB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.803654054.0000000001BB0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.803654054.0000000001BB0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6E9B19DA
Source: C:\Windows\System32\loaddll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E9EFEC0
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E9E3EF0
Source: C:\Windows\System32\loaddll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_6E9EF7ED
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E9E3F76
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_6E9EFF6D
Source: C:\Windows\System32\loaddll32.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 0_2_6E9ED769
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 0_2_6E9E0484
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E9EFD96
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_6E9EDD6B
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E9EFAA1
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E9EFA61
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E9EFBA1
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E9EFB1E
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6E9EC344
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_6E9E41DA
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E4886 cpuid 0_2_6E9E4886
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B13E4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6E9B13E4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E690A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_6E9E690A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B1371 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E9B1371
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02594472 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_02594472

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.479416380.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479376627.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804482994.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495439556.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496320513.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479510909.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479453127.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496294032.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496277018.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495483618.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496244695.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479614184.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479576032.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496057082.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479548431.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479596189.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622172269.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496215226.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.30b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.621232674.00000000044C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478390389.0000000004EB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804033989.0000000003359000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.492977892.00000000044B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.503835282.00000000051B9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.479416380.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479376627.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804482994.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495439556.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496320513.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479510909.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479453127.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496294032.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496277018.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495483618.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496244695.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479614184.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479576032.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496057082.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479548431.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.479596189.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.622172269.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.496215226.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3148, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.30b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.44b94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.4eb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.44c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.33594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.621232674.00000000044C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478390389.0000000004EB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804033989.0000000003359000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.492977892.00000000044B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.503835282.00000000051B9000.00000004.00000040.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs