Windows Analysis Report 2e.dll

Overview

General Information

Sample Name:	2e.dll
Analysis ID:	498882
MD5:	92a0f1023e064a46fbf2e6bb697edf55
SHA1:	d2d28a35de82e8161266355a351a1e5822d49303
SHA256:	2e012edb93bb99de397b629cdc44d7516f9e6f47cd7106c93d2d6fd66a37af87
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for domain / URL

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Tries to load missing DLLs

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 2e.dll

Avira: detected

Found malware configuration

Source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "aHj/FBAOlIGEKeY7hJtySGbhiJ+OuJag0uZwD+z98lrXzI6cghioivt/zNqE6myavQkK1TvPguLqYjDl5wY423TG5cujR5I12+riFLmXU6yLpvCwEpgEflmuQBdLI5UmZ7PM966PLmgcotslJ9y1/jYsiD2WoJkIZSAKBnncJmMF7h9eqsKMXazDFT0yQ2hN", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "1100", "server": "730", "serpent_key": "R13xH4JuHdOWL6Sg", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: 2e.dll	Virustotal: Detection: 65%	Perma Link
Source: 2e.dll	Metadefender: Detection: 40%	Perma Link
Source: 2e.dll	ReversingLabs: Detection: 82%

Multi AV Scanner detection for domain / URL

Source: api10.laptok.at

Virustotal: Detection: 14%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.rundll32.exe.30e0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.e00000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 2.2.rundll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: 2e.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49792 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49792 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49824 -> 87.106.18.141:80

Source: Joe Sandbox View	IP Address: 87.106.18.141 87.106.18.141
Source: Joe Sandbox View	IP Address: 87.106.18.141 87.106.18.141

Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	String found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1P
Source: {DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat.21.dr, ~DFB9EDA9C4DE41A518.TMP.21.dr	String found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5a
Source: {C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat.15.dr	String found in binary or memory: http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tX
Source: 2e.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 2e.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 2e.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.15.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.15.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.15.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.15.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.15.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.15.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.15.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.15.dr	String found in binary or memory: http://www.youtube.com/
Source: 2e.dll	String found in binary or memory: https://sectigo.com/CPS0D

Source: global traffic	HTTP traffic detected: GET /api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100021A4	0_2_100021A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA40B3	0_2_00FA40B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAF44	0_2_00FAAF44

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001C22 GetProcAddress,NtCreateSection,memset,	0_2_10001C22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001AD1 NtMapViewOfSection,	0_2_10001AD1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001252 GetLastError,NtClose,	0_2_10001252
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023C5 NtQueryVirtualMemory,	0_2_100023C5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA7925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00FA7925
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAB169 NtQueryVirtualMemory,	0_2_00FAB169

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2e.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002193 push ecx; ret	0_2_100021A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002140 push ecx; ret	0_2_10002149
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAE6BE push esp; retf	0_2_00FAE6BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAC00 push ecx; ret	0_2_00FAAC09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAE1AF push ebx; ret	0_2_00FAE1B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAE163 push edx; iretd	0_2_00FAE164
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAF33 push ecx; ret	0_2_00FAAF43
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D5BAD0 push edx; ret	0_2_00D5BBD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53C54 push eax; iretd	0_2_00D53C4B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53C32 push eax; iretd	0_2_00D53C4B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D5197F push ds; retf	0_2_00D5198D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D516B6 push ecx; ret	0_2_00D516B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D552B6 push esp; iretd	0_2_00D552D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D55EB0 push 0E0634C7h; retf	0_2_00D55EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53205 push cs; retf	0_2_00D53206
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53FFB pushad ; iretd	0_2_00D5400E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D533A6 push ds; ret	0_2_00D533BB

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/favicon.ico	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B	true	Avira URL Cloud: safe	unknown

ID:	498882
Product:	CloudBasic
Start time:	16:18:46
Start date:	07.10.2021
Sample:	2e.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	92a0f1023e064a46fbf2e6bb697edf55
SHA1:	d2d28a35de82e8161266355a351a1e5822d49303
SHA256:	2e012edb93bb99de397b629cdc44d7516f9e6f47cd7106c93d2d6fd66a37af87
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.39%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2243AE9-2779-11EC-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	5F38D3B6CD6DCB6133FA4568E8AFA2C1	40AF099DED37781639FB476F50B7FA65474684F8	EDA9AA7EFFFAFA29ED90217E21192761860F29B9C58D06A282F84FF25E364D81
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DD28BAEB-2779-11EC-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	4E3474B49787A29BDCA2DF6CE06599A9	85F0E57BB0A9F59BB65E8992F13EE3A672A10B30	AEE2DF902E7ACEC926E03297FD67BA8762CCBCA7A6E81A28B23F240D8E6E9351
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	76B2F71618816F746BE6A756E61D9574	298CE55345D46FE76B74C3836C619BA98579BCCC	12D79A99EA47B29192AE132004E1470A34B757EA63D7FF7F9C1720739D5B3F92
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	B0E31D8A8F80E5107F50E167D5F64CE3	B0F568C02F3B875C2B009C74F82E138F0495E4EB	31C9F99F030865BFF0AFA9D658003A6E0FEDB2763C8C69BC23C7B66B549EABA8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	B9289B02F73BA2696CE382F25B252768	34866CE7763DD1439472F01A062BAF1DE35AB40C	02DCEC0FD7F8268958B6D9D1E629E45AF6E498A20E23BBF3961F8FA57936A67F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	0E2824AEBA5263BDBEB6F6C1B697201D	249FBF817F78E7030D4B51FF1C2D596003F7B022	EF74B42C008153CAFE31A10A9B1518ECE461BB8BF3D605C275494097EF10048A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D6293B418E61C0E16419449C7AEC6137	CDE20431F39715389797994CD61049E6FBE3A812	60DE51742FA97CEBA37658D67BFE11E8B1A4B2E4724BAA33427799ACB59CA0C2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2FD98F3ADDA3603CF1D1F96647FA06CA	4CC088DFA5CA39E3A41FA12080CAF29D9C809506	D6EF9422DFD69F0913DA2E7245F967B8577CA90D71E5F9ADE29B62531EAC4833
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8D563F07516320E95AE089BBC291A6EB	22E510ABFCDC78066565F209B5D9E3BC7C7B64FB	70549C4B108CAED8AAC5664A94774E3B2B9204B65EB0C214A62D743B35E915F3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	5797054F1BF80218E67B8EB13BA79DCC	117B6C85528CB5FDED08DC064E3C34B5FC0F027A	AB40749924948AFD3098C35DA1B5DA3965D24B16ED2A5BE721E0FDE3943424D8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	DDEEB8CBF6C19764CC86C0C33580C3CD	84D9A085AD938C9692A7717DCFCDFF116D01B047	02EC86E92A9BCE56B88199A7971994C681973BFA4FEDBEF43ECF2EBFD09C7B60
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	9D5AC7B16558A6CC28492AC28E1454F3	05928854C329AA44A0871B6A88BEFB7BF57177D6	A7215397C2A465C7AE54EFBCA71E60373B5C31074B2700BF490D93227D02BE95
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	10D82FAC8F0A69FB555E9811B2D0A6E3	CB719FACB674AC7851A920127EA1A4E8ADC3DB6D	3606FA33CA1ED25B52554EE60670FE6BB14E4461ADCB76415E6C339A63F468F2
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	00ECA81511259FF58F097AA3701BB729	E002895091FC5D9EF7461950886E9ABBD71AC219	09C86668E713E5ECC72A8478CF3FBD049B94AD6C777B7708C883CDA92240BCCF
C:\Users\user\AppData\Local\Temp\~DF302033FC2C26A542.TMP	data	71D24CEC0984F1D3C4CECED1D6C926F8	EA75BEC02ACD81F67EA2E7A050E01AB4235AF077	F62B14D503003ECCF51AAB536D7B469E41789CA4B2311BF555B50F3E0B40D26E
C:\Users\user\AppData\Local\Temp\~DF677CE89DC6A9E9DB.TMP	data	5C7DEF89A84EAA98430FE7027564DF78	D44DA4534C89ADA5E783ADCB8ABEA0AB95CA6543	66C837632C5CC0A0B18B23E886B8337839514DD7FE99FD4131A44245712064B8
C:\Users\user\AppData\Local\Temp\~DFB9EDA9C4DE41A518.TMP	data	D6EE8E5C275A86A97B906F4AEDDA6134	63C95AA3BE00D6B6C69EB6A0E42D91FCE098718C	B53595D99A0C685EBB1CC8CE1618F6EFD33F2B4B75BD07166DB2CC7ABA0B88FE
C:\Users\user\AppData\Local\Temp\~DFED4BB5723C2F8450.TMP	data	5CA3A3BB7ABE9DC52F89ACAE580DD584	35081451F3DAE228AE3AFA7AAF835D9F2AA1A0EA	C91DAE2CF83E6662D924132FEFA3347DF0B845E3B3AD46691C8B3ACDF7A08752

Windows Analysis Report 2e.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs