Loading ...

Play interactive tourEdit tour

Windows Analysis Report c3.dll

Overview

General Information

Sample Name:c3.dll
Analysis ID:498859
MD5:c309ec3264c7bf7c771cca5703e841fe
SHA1:2af04c50d324bc6f42fe9714ea89cf300471c169
SHA256:616255c7f0697542e2a3e5e6b4834fffa5e56e7ede26612454674a9937d32a19
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Uses 32bit PE files
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6364 cmdline: loaddll32.exe 'C:\Users\user\Desktop\c3.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6376 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6396 cmdline: rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6384 cmdline: rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6436 cmdline: rundll32.exe C:\Users\user\Desktop\c3.dll,@Consonanttime@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6456 cmdline: rundll32.exe C:\Users\user\Desktop\c3.dll,@Nooncry@4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "iZ+yu73sQgHWIoKVZvTBVFftBRzgg84Wo8cRK1WKzlYIyRSwRES+5puIFDGj4t/PJdO/J+rFd8Puk9xQXkAk5gtRJ+EiBjQZEhIJII9S4j9MojvldfnQXG4MCZq2vijykYOVQ/oipgSqNw946zszs4wFVrWAoZclk2bk1tyqtgqxkkj0TTwIXY2VfInsWFxD/3rDCluhcm6BGxwpQenf9WcO9HcjXScxWCVoj1xEKoz2EWs5Yz+47bMOX0XSfQdNTrhQDAWX7nAEEA6/oHUm46QdJTg5UtCf5yxbjwIgAf3SZboeJUyNSK7Q1WQQUlETGFBqUZa4n/YRWCQVzi42QoGrPxpP3LrDhlEYnFm7fQM=", "c2_domain": ["app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "3500", "server": "580", "serpent_key": "GfG96RIHgUj8PvPF", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.6f250000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.31194a0.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                4.3.rundll32.exe.4238d07.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.2968d07.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    5.3.rundll32.exe.2dc8d07.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: c3.dllAvira: detected
                      Found malware configurationShow sources
                      Source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "iZ+yu73sQgHWIoKVZvTBVFftBRzgg84Wo8cRK1WKzlYIyRSwRES+5puIFDGj4t/PJdO/J+rFd8Puk9xQXkAk5gtRJ+EiBjQZEhIJII9S4j9MojvldfnQXG4MCZq2vijykYOVQ/oipgSqNw946zszs4wFVrWAoZclk2bk1tyqtgqxkkj0TTwIXY2VfInsWFxD/3rDCluhcm6BGxwpQenf9WcO9HcjXScxWCVoj1xEKoz2EWs5Yz+47bMOX0XSfQdNTrhQDAWX7nAEEA6/oHUm46QdJTg5UtCf5yxbjwIgAf3SZboeJUyNSK7Q1WQQUlETGFBqUZa4n/YRWCQVzi42QoGrPxpP3LrDhlEYnFm7fQM=", "c2_domain": ["app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "3500", "server": "580", "serpent_key": "GfG96RIHgUj8PvPF", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: c3.dllVirustotal: Detection: 58%Perma Link
                      Source: c3.dllReversingLabs: Detection: 65%
                      Source: c3.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: c3.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\surface\829\began-Glad\Law.pdb source: loaddll32.exe, 00000000.00000002.878842314.000000006F26E000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.880085108.000000006F26E000.00000002.00020000.sdmp, c3.dll

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY
                      Source: c3.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F2522640_2_6F252264
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F2522643_2_6F252264
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F252485 NtQueryVirtualMemory,0_2_6F252485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F252485 NtQueryVirtualMemory,3_2_6F252485
                      Source: c3.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: c3.dllVirustotal: Detection: 58%
                      Source: c3.dllReversingLabs: Detection: 65%
                      Source: c3.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c3.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Consonanttime@8
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Nooncry@4
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Consonanttime@8Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Nooncry@4Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1Jump to behavior
                      Source: classification engineClassification label: mal72.troj.winDLL@11/0@0/0
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: c3.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: c3.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: c3.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: c3.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: c3.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: c3.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: c3.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: c3.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\surface\829\began-Glad\Law.pdb source: loaddll32.exe, 00000000.00000002.878842314.000000006F26E000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.880085108.000000006F26E000.00000002.00020000.sdmp, c3.dll
                      Source: c3.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: c3.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: c3.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: c3.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: c3.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F252200 push ecx; ret 0_2_6F252209
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F252253 push ecx; ret 0_2_6F252263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F2635F6 push ebx; retf 0_2_6F263609
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F2639C2 push edi; retf 0_2_6F2639D0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F26482E push ebp; retf 0_2_6F264842
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F26046F push edx; retf 0_2_6F260470
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F262885 push ss; retf 001Eh0_2_6F26297E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F261C9C push ebp; iretd 0_2_6F261D20
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F260CF4 pushfd ; retf 005Dh0_2_6F260D0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F28092C push ebp; retf 0_2_6F28092D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F28013B push EC30617Dh; retn 0000h0_2_6F28014E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F252200 push ecx; ret 3_2_6F252209
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F252253 push ecx; ret 3_2_6F252263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F2635F6 push ebx; retf 3_2_6F263609
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F2639C2 push edi; retf 3_2_6F2639D0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F26482E push ebp; retf 3_2_6F264842
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F26046F push edx; retf 3_2_6F260470
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F262885 push ss; retf 001Eh3_2_6F26297E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F261C9C push ebp; iretd 3_2_6F261D20
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F260CF4 pushfd ; retf 005Dh3_2_6F260D0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F28092C push ebp; retf 3_2_6F28092D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F28013B push EC30617Dh; retn 0000h3_2_6F28014E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F251F31 LoadLibraryA,GetProcAddress,0_2_6F251F31
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.80010328322

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F27E20C mov eax, dword ptr fs:[00000030h]0_2_6F27E20C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F27E142 mov eax, dword ptr fs:[00000030h]0_2_6F27E142
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F27DD49 push dword ptr fs:[00000030h]0_2_6F27DD49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F27E20C mov eax, dword ptr fs:[00000030h]3_2_6F27E20C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F27E142 mov eax, dword ptr fs:[00000030h]3_2_6F27E142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F27DD49 push dword ptr fs:[00000030h]3_2_6F27DD49
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F251F31 LoadLibraryA,GetProcAddress,0_2_6F251F31
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                      Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_6F251566
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,3_2_6F251566
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F25146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6F25146C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F2517A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_6F2517A7

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API1Path InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing2LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 498859 Sample: c3.dll Startdate: 07/10/2021 Architecture: WINDOWS Score: 72 19 Found malware configuration 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected  Ursnif 2->25 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        process5 17 rundll32.exe 9->17         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.