Windows Analysis Report fiHY95Y1CZ.exe

Overview

General Information

Sample Name: fiHY95Y1CZ.exe (renamed file extension from exe to dll)
Analysis ID: 540821
MD5: 3b7d8109b37e996e06ae68144f37a73c
SHA1: 9ee1957c39834e9ea87cd72d7f09e9f08e1712d3
SHA256: 53f09461a48f10c95f426cd179106cbe94fba81c498fb7414d6a849470ee777e
Tags: exegeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
PE file has a writeable .text section
Writes or reads registry keys via WMI
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Registers a DLL
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.776128784.0000000000710000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: fiHY95Y1CZ.dll Virustotal: Detection: 23% Perma Link
Source: fiHY95Y1CZ.dll ReversingLabs: Detection: 37%
Antivirus detection for URL or domain
Source: https://berukoneru.website:4434 Avira URL Cloud: Label: malware
Source: https://berukoneru.website:443 Avira URL Cloud: Label: malware
Source: https://berukoneru.website/tire/pwsRZXEKCNadKEKqX1o9/b2Zj7hHedRFWAjDTz7_/2FOi9hvcPIf92jE5HHyv1B/OfZF Avira URL Cloud: Label: malware
Source: https://berukoneru.website/ Avira URL Cloud: Label: malware
Source: https://berukoneru.website/tire/za2qkobGG8hjnBcNlK5rpy/DM0ZTFZcdObn9/heBYxiqA/288tZtaDdhUDDHi0oDe4mT Avira URL Cloud: Label: malware
Source: https://berukoneru.website/n Avira URL Cloud: Label: malware
Source: https://berukoneru.website/tire/r5QiHxjTySmGYdSO5D/jcUwjLzfU/E7ReP6jBdZthorydDqCp/VP_2FtRTEArd2s1OvU Avira URL Cloud: Label: malware
Source: https://berukoneru.website/_ Avira URL Cloud: Label: malware
Source: https://berukoneru.website/f Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: berukoneru.website Virustotal: Detection: 9% Perma Link
Source: gerukoneru.website Virustotal: Detection: 8% Perma Link
Source: fortunarah.com Virustotal: Detection: 9% Perma Link
Machine Learning detection for sample
Source: fiHY95Y1CZ.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 4.2.regsvr32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 5.2.rundll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 6.2.rundll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: fiHY95Y1CZ.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: berukoneru.website
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 3.20.161.64 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: windows.update3.com
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: gerukoneru.website
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 18.219.227.107 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 3.12.124.139 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: fortunarah.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49900
Source: fiHY95Y1CZ.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: fiHY95Y1CZ.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: fiHY95Y1CZ.dll String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: loaddll32.exe, 00000001.00000003.391563664.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.713545660.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.659059165.0000000000816000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.538531416.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.726928677.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.649480266.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.352136475.00000000007DD000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.604514487.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397522414.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.373886664.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.671393257.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.693315999.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729649421.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729820019.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.524614944.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: fiHY95Y1CZ.dll String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: fiHY95Y1CZ.dll String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: fiHY95Y1CZ.dll String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: fiHY95Y1CZ.dll String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: fiHY95Y1CZ.dll String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: fiHY95Y1CZ.dll String found in binary or memory: http://ocsp.digicert.com0C
Source: fiHY95Y1CZ.dll String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000006.00000003.568560207.0000000000833000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.649323077.0000000000833000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/Organization
Source: fiHY95Y1CZ.dll String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: rundll32.exe, 00000006.00000003.352095689.0000000005211000.00000004.00000001.sdmp String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: loaddll32.exe, 00000001.00000003.592813795.0000000000881000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.592855025.0000000000887000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.472113086.0000000000873000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.346748265.0000000000862000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.713588601.0000000000859000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.713545660.00000000007FE000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.482058539.0000000005EF9000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.608955593.0000000005EF9000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.731403472.0000000005EFC000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.352117976.000000000082B000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479898288.000000000081C000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmp String found in binary or memory: https://aka.ms/MicrosoftEdgeDownload"
Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp String found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respo
Source: loaddll32.exe, 00000001.00000003.346748265.0000000000862000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.482058539.0000000005EF9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729801829.000000000081E000.00000004.00000001.sdmp String found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.546840107.000000000077E000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website/
Source: loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website/_
Source: rundll32.exe, 00000006.00000003.671393257.00000000007DE000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website/f
Source: rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website/n
Source: loaddll32.exe, 00000001.00000002.776460108.000000000079B000.00000004.00000020.sdmp String found in binary or memory: https://berukoneru.website/tire/pwsRZXEKCNadKEKqX1o9/b2Zj7hHedRFWAjDTz7_/2FOi9hvcPIf92jE5HHyv1B/OfZF
Source: loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website/tire/r5QiHxjTySmGYdSO5D/jcUwjLzfU/E7ReP6jBdZthorydDqCp/VP_2FtRTEArd2s1OvU
Source: rundll32.exe, 00000006.00000002.777335258.0000000000797000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website/tire/za2qkobGG8hjnBcNlK5rpy/DM0ZTFZcdObn9/heBYxiqA/288tZtaDdhUDDHi0oDe4mT
Source: loaddll32.exe, 00000001.00000003.658945899.00000000007EA000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website:443
Source: loaddll32.exe, 00000001.00000002.777998802.0000000000887000.00000004.00000001.sdmp String found in binary or memory: https://berukoneru.website:4434
Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp String found in binary or memory: https://c.s
Source: rundll32.exe, 00000006.00000003.726928677.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmp String found in binary or memory: https://fortunarah.com/
Source: rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmp String found in binary or memory: https://fortunarah.com/g
Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmp String found in binary or memory: https://gerukoneru.website/
Source: loaddll32.exe, 00000001.00000003.659059165.0000000000816000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmp String found in binary or memory: https://gerukoneru.website/7
Source: rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmp String found in binary or memory: https://gerukoneru.website/V
Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmp String found in binary or memory: https://gerukoneru.website/_
Source: rundll32.exe, 00000006.00000003.693315999.00000000007DE000.00000004.00000001.sdmp String found in binary or memory: https://gerukoneru.website/f
Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmp String found in binary or memory: https://gerukoneru.website/g
Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmp String found in binary or memory: https://gerukoneru.website/o
Source: loaddll32.exe, 00000001.00000003.538445534.0000000000857000.00000004.00000001.sdmp String found in binary or memory: https://gerukoneru.website/tire/2BC_2BBRBNFJ1PmozxxmKVd/gm6Dkla7K7/8u9w5b_2FXO_2FnQt/BMclQSrzXXf4/Rq
Source: loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmp String found in binary or memory: https://gerukoneru.website/tire/xpW7gpb7TrkZ/x1HHPi7fp9L/0D56sMwSf_2Bjl/6GWFUIy7ar_2FfABNgnCj/82C0Hf
Source: loaddll32.exe, 00000001.00000003.713526931.00000000007EA000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658945899.00000000007EA000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.777190196.00000000007EA000.00000004.00000020.sdmp String found in binary or memory: https://gerukoneru.website:443
Source: rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777239624.000000000077E000.00000004.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax"
Source: rundll32.exe, 00000005.00000003.729665174.0000000004B61000.00000004.00000040.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=e636"
Source: fiHY95Y1CZ.dll String found in binary or memory: https://nodejs.org0
Source: rundll32.exe, 00000006.00000003.352095689.0000000005211000.00000004.00000001.sdmp String found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
Source: rundll32.exe, 00000006.00000003.524614944.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmp String found in binary or memory: https://windows.update3.com/
Source: rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397522414.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmp String found in binary or memory: https://windows.update3.com/2
Source: loaddll32.exe, 00000001.00000003.391563664.00000000007FE000.00000004.00000001.sdmp String found in binary or memory: https://windows.update3.com/Z
Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp String found in binary or memory: https://windows.update3.com/llU
Source: loaddll32.exe, 00000001.00000003.392575385.000000000085C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmp String found in binary or memory: https://windows.update3.com/tire/NBe6wGJmUc0TyUzeyP/5Njlm_2FV/AnUx9J_2FMkoEzFmIRim/7MsjKW4RRjAKub2A8
Source: loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmp String found in binary or memory: https://windows.update3.com/tire/Wt7VtJWXxvCxj/q8Hicv2m/rYOqGahqW2aY_2BSfNZT5kT/9hHx0IzQpe/vlCX_2Bqh
Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp String found in binary or memory: https://windows.update3.com/tire/e5hjYNeWetXz_2B/Th5RGlAc56d_2FCUbi/NUhZqTgpn/_2FHcnisafGQJWYV9uWj/n
Source: rundll32.exe, 00000006.00000002.776805911.000000000074A000.00000004.00000020.sdmp String found in binary or memory: https://windows.update3.com/tire/fPNeZGvZ_2FjPtgP/S4ORv62WOG6CqCc/RpObjfG9eDuBR7sVqh/4jcyxlUAH/kr39Z
Source: fiHY95Y1CZ.dll String found in binary or memory: https://www.digicert.com/CPS0
Source: fiHY95Y1CZ.dll String found in binary or memory: https://www.globalsign.com/repository/0
Source: fiHY95Y1CZ.dll String found in binary or memory: https://www.globalsign.com/repository/03
Source: unknown DNS traffic detected: queries for: windows.update3.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000001.00000002.776460108.000000000079B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR

System Summary:

barindex
PE file has a writeable .text section
Source: fiHY95Y1CZ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: fiHY95Y1CZ.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002244 1_2_10002244
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00781006 1_2_00781006
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0078B084 1_2_0078B084
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00783373 1_2_00783373
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0078294D 1_2_0078294D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590DF9 1_2_00590DF9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590DF7 1_2_00590DF7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0346294D 4_2_0346294D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_03463373 4_2_03463373
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0346B084 4_2_0346B084
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_006E1006 5_2_006E1006
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_006EB084 5_2_006EB084
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_006E3373 5_2_006E3373
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_006E294D 5_2_006E294D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740DF7 5_2_00740DF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740DF9 5_2_00740DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00541006 6_2_00541006
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0054B084 6_2_0054B084
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0054294D 6_2_0054294D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00543373 6_2_00543373
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00720DF7 6_2_00720DF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00720DF9 6_2_00720DF9
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001297 GetProcAddress,NtCreateSection,memset, 1_2_10001297
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001E31 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 1_2_10001E31
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002058 NtMapViewOfSection, 1_2_10002058
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002465 NtQueryVirtualMemory, 1_2_10002465
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00786C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_00786C06
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0078B2A9 NtQueryVirtualMemory, 1_2_0078B2A9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590880 NtAllocateVirtualMemory, 1_2_00590880
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590ABA NtProtectVirtualMemory, 1_2_00590ABA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_005908B7 NtAllocateVirtualMemory, 1_2_005908B7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_03466C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_03466C06
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0346B2A9 NtQueryVirtualMemory, 4_2_0346B2A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_006E6C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_006E6C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_006EB2A9 NtQueryVirtualMemory, 5_2_006EB2A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_007408B7 NtAllocateVirtualMemory, 5_2_007408B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740ABA NtProtectVirtualMemory, 5_2_00740ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740880 NtAllocateVirtualMemory, 5_2_00740880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00546C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_00546C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0054B2A9 NtQueryVirtualMemory, 6_2_0054B2A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007208B7 NtAllocateVirtualMemory, 6_2_007208B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00720ABA NtProtectVirtualMemory, 6_2_00720ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00720880 NtAllocateVirtualMemory, 6_2_00720880
Sample file is different than original file name gathered from version info
Source: fiHY95Y1CZ.dll Binary or memory string: OriginalFilenameSymErr.exeT vs fiHY95Y1CZ.dll
Source: fiHY95Y1CZ.dll Binary or memory string: OriginalFilenameNsc.exe. vs fiHY95Y1CZ.dll
Source: fiHY95Y1CZ.dll Binary or memory string: OriginalFilenamebyInstallHelper.exe. vs fiHY95Y1CZ.dll
Source: fiHY95Y1CZ.dll Binary or memory string: OriginalFilenameBgRegister.exe4 vs fiHY95Y1CZ.dll
PE file contains strange resources
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fiHY95Y1CZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: fiHY95Y1CZ.dll Static PE information: invalid certificate
Source: fiHY95Y1CZ.dll Virustotal: Detection: 23%
Source: fiHY95Y1CZ.dll ReversingLabs: Detection: 37%
Source: fiHY95Y1CZ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fiHY95Y1CZ.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fiHY95Y1CZ.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@9/0@91/4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00783309 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_00783309
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: fiHY95Y1CZ.dll Static file information: File size 1776800 > 1048576
Source: fiHY95Y1CZ.dll Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16fa00

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002233 push ecx; ret 1_2_10002243
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100021E0 push ecx; ret 1_2_100021E9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0078B073 push ecx; ret 1_2_0078B083
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0078E97E pushad ; iretd 1_2_0078E982
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0078AD40 push ecx; ret 1_2_0078AD49
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590A66 push edx; ret 1_2_00590B11
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_005905DF push dword ptr [ebp-00000284h]; ret 1_2_0059087F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590ECD push 1001C571h; ret 1_2_00590ED4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590BFC push dword ptr [esp+0Ch]; ret 1_2_00590C10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590BFC push dword ptr [esp+10h]; ret 1_2_00590C56
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_005906F5 push dword ptr [ebp-00000284h]; ret 1_2_00590764
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590880 push dword ptr [ebp-00000284h]; ret 1_2_005908B6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590ABA push edx; ret 1_2_00590B11
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_005908B7 push dword ptr [ebp-00000284h]; ret 1_2_00590A65
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_005908B7 push dword ptr [ebp-0000028Ch]; ret 1_2_00590AB9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_005908B7 push edx; ret 1_2_00590B11
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_005908B7 push dword ptr [esp+10h]; ret 1_2_00590BFB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0346AD40 push ecx; ret 4_2_0346AD49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0346E97E pushad ; iretd 4_2_0346E982
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0346B073 push ecx; ret 4_2_0346B083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_006EB073 push ecx; ret 5_2_006EB083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_006EE97E pushad ; iretd 5_2_006EE982
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_006EAD40 push ecx; ret 5_2_006EAD49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740A66 push edx; ret 5_2_00740B11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_007406F5 push dword ptr [ebp-00000284h]; ret 5_2_00740764
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740ECD push 1001C571h; ret 5_2_00740ED4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_007408B7 push dword ptr [ebp-00000284h]; ret 5_2_00740A65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_007408B7 push dword ptr [ebp-0000028Ch]; ret 5_2_00740AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_007408B7 push edx; ret 5_2_00740B11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_007408B7 push dword ptr [esp+10h]; ret 5_2_00740BFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740ABA push edx; ret 5_2_00740B11
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001D26 LoadLibraryA,GetProcAddress, 1_2_10001D26
PE file contains an invalid checksum
Source: fiHY95Y1CZ.dll Static PE information: real checksum: 0x1b3666 should be: 0x1b9826
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2800 Thread sleep time: -1773297476s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2800 Thread sleep count: 131 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6312 Thread sleep time: -210000s >= -30000s Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 754 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 2057 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 423 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 1379 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 1273 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 2114 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 1316 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 881 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 519 Jump to behavior
Source: loaddll32.exe, 00000001.00000002.776460108.000000000079B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWx
Source: loaddll32.exe, 00000001.00000003.391563664.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.713545660.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.538531416.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.726780006.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.601752687.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.671260223.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419508234.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729612790.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.441407855.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.751486716.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777634144.00000000007C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000003.726780006.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.601752687.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.671260223.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419508234.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729612790.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.441407855.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.751486716.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777634144.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.568624459.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.626245074.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397624626.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474820798.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.649386034.00000000007C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWpTo=
Source: rundll32.exe, 00000006.00000003.729512473.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.501682388.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.671371303.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397669919.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.546877094.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777298156.0000000000790000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWH

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001D26 LoadLibraryA,GetProcAddress, 1_2_10001D26
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590C57 mov eax, dword ptr fs:[00000030h] 1_2_00590C57
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590B14 mov eax, dword ptr fs:[00000030h] 1_2_00590B14
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590BFC mov eax, dword ptr fs:[00000030h] 1_2_00590BFC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00590CE8 mov eax, dword ptr fs:[00000030h] 1_2_00590CE8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_005908B7 mov eax, dword ptr fs:[00000030h] 1_2_005908B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740C57 mov eax, dword ptr fs:[00000030h] 5_2_00740C57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740CE8 mov eax, dword ptr fs:[00000030h] 5_2_00740CE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_007408B7 mov eax, dword ptr fs:[00000030h] 5_2_007408B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740B14 mov eax, dword ptr fs:[00000030h] 5_2_00740B14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00740BFC mov eax, dword ptr fs:[00000030h] 5_2_00740BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00720C57 mov eax, dword ptr fs:[00000030h] 6_2_00720C57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00720CE8 mov eax, dword ptr fs:[00000030h] 6_2_00720CE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007208B7 mov eax, dword ptr fs:[00000030h] 6_2_007208B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00720B14 mov eax, dword ptr fs:[00000030h] 6_2_00720B14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00720BFC mov eax, dword ptr fs:[00000030h] 6_2_00720BFC

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: berukoneru.website
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 3.20.161.64 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: windows.update3.com
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: gerukoneru.website
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 18.219.227.107 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 3.12.124.139 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: fortunarah.com
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1 Jump to behavior
Source: loaddll32.exe, 00000001.00000002.778444156.0000000000EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.779417132.00000000038F0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.780211416.00000000031B0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.780551458.00000000031B0000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000002.778444156.0000000000EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.779417132.00000000038F0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.780211416.00000000031B0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.780551458.00000000031B0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.778444156.0000000000EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.779417132.00000000038F0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.780211416.00000000031B0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.780551458.00000000031B0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.778444156.0000000000EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.779417132.00000000038F0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.780211416.00000000031B0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.780551458.00000000031B0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0078A303 cpuid 1_2_0078A303
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001815 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_10001815
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100015CF CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_100015CF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0078A303 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 1_2_0078A303

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540821 Sample: fiHY95Y1CZ.exe Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 24 windows.update3.com 2->24 26 gerukoneru.website 2->26 28 2 other IPs or domains 2->28 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 5 other signatures 2->60 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 36 windows.update3.com 8->36 38 gerukoneru.website 8->38 40 3 other IPs or domains 8->40 64 Writes or reads registry keys via WMI 8->64 66 Writes registry values via WMI 8->66 12 regsvr32.exe 8->12         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        signatures6 process7 dnsIp8 42 windows.update3.com 12->42 44 gerukoneru.website 12->44 50 3 other IPs or domains 12->50 68 System process connects to network (likely due to code injection or exploit) 12->68 70 Writes or reads registry keys via WMI 12->70 72 Writes registry values via WMI 12->72 20 rundll32.exe 16->20         started        46 windows.update3.com 18->46 48 gerukoneru.website 18->48 52 4 other IPs or domains 18->52 signatures9 process10 dnsIp11 30 3.12.124.139, 443, 49856, 49858 AMAZON-02US United States 20->30 32 3.20.161.64, 443, 49779, 49782 AMAZON-02US United States 20->32 34 5 other IPs or domains 20->34 62 Writes registry values via WMI 20->62 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.20.161.64
 unknown United States
16509 AMAZON-02US true
18.219.227.107
 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com United States
16509 AMAZON-02US false
3.12.124.139
 unknown United States
16509 AMAZON-02US true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 18.219.227.107 true
berukoneru.website unknown unknown
windows.update3.com unknown unknown
gerukoneru.website unknown unknown
fortunarah.com unknown unknown