Edit tour
Windows
Analysis Report
NdmYtW.xyiLj
Overview
General Information
| Sample Name: | NdmYtW.xyiLj (renamed file extension from xyiLj to dll) |
| Analysis ID: | 613876 |
| MD5: | f0f0659d9838d978a8b7e7391b81c801 |
| SHA1: | 6adf95dab8d012a85ee4ed93f970d610ea2138bc |
| SHA256: | f32f9fed2539cf3a6f585bc961035ccf3a03095c1f27e688f2da2811eca045f1 |
| Tags: | dll |
| Infos: |   |
 | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Writes to foreign memory regions
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll32.exe (PID: 6884 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\Ndm YtW.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938) 
cmd.exe (PID: 6900 cmdline: cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Ndm YtW.dll",# 1 MD5: F3BDBE3BB6F734E357235F4D5898582D) 
rundll32.exe (PID: 6924 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\NdmY tW.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - control.exe (PID: 6356 cmdline:
C:\Windows \system32\ control.ex e -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F) 
WerFault.exe (PID: 7000 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 884 -s 604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 7088 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 884 -s 612 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 4596 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 884 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
mshta.exe (PID: 5052 cmdline: C:\Windows \System32\ mshta.exe" "about:<h ta:applica tion><scri pt>Gbob='w script.she ll';resize To(0,2);ev al(new Act iveXObject (Gbob).reg read('HKCU \\\Softwar e\\AppData Low\\Softw are\\Micro soft\\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E\\\TestL ocal'));if (!window.f lag)close( )</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB) 
powershell.exe (PID: 5248 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" new-alias -name llst xy -value gp; new-al ias -name dtaagibhy -value iex ; dtaagibh y ([System .Text.Enco ding]::ASC II.GetStri ng((llstxy "HKCU:Sof tware\AppD ataLow\Sof tware\Micr osoft\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E").UrlsR eturn)) MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 2796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - csc.exe (PID: 6512 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\s5wot0w y\s5wot0wy .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 6580 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES249.tmp " "c:\User s\user\App Data\Local \Temp\s5wo t0wy\CSC4A 66175C42A3 4DCCBF374A EBACAD802E .TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - csc.exe (PID: 5992 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\0sg2urk r\0sg2urkr .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 6104 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES23CB.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\0sg 2urkr\CSC9 E8D9CF5EFB 2455BAC85F 18857F6B83 6.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - explorer.exe (PID: 684 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
- cleanup
{"RSA Public Key": "rM7U8h0H6XyHguKwe9if1a7N2/FMbudF6vIxc9cr6EC/ZxyH88ceq1sDzyjTgbcBMGvmPN0YcdpRxnebuQQLE3vAtHW2D9dfaEUpfJPWVhDRMv39NnfkoeGJw/DKTIS7SCwLstvvOgf2mhmdWsmtHCXwtcYZiWu8/BOeGK1BWWHiN/Ig8xejls7e4AIsWKVv4+0iV7nRKNKROI2Qs2vRdc6VR6tqxTeQ3FcxQqhTkNgnBHeF+EnzLo2cTMhoG9V16GNJW/rY0Nz2nqGVlgMhDYPyTdL4ybN77mlsw23BUmoUdB2vxx7aFOwbEJIw3SXQUMfs3KCDU3fRYvlDBVDr40UzsOF+1zKtZ4V9bCghne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Click to see the 12 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth: | ||
| Source: | Author: Nikita Nazarov, oscd.community: | ||
| Source: | Author: Perez Diego (@darkquassar), oscd.community: | ||
| Source: | Author: Michael Haag: | ||