Windows Analysis Report
62724e14c3203.dll

Overview

General Information

Sample Name: 62724e14c3203.dll
Analysis ID: 620140
MD5: d8b1d46801506b84938f864365bc7c81
SHA1: af58e06fafcf944e800ac5029b5a40ce5326db3e
SHA256: ac633cc57571ff54a72dd8cac9236cddef488af8074e08a3b17b53983d3f0733
Tags: dllenelenelenergiagoziisfbitaursnif
Infos:

Detection

Ursnif
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Tries to detect sandboxes and other dynamic analysis tools (window names)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
Uses 32bit PE files
PE file contains an invalid checksum
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Contains capabilities to detect virtual machines
Registers a DLL
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 62724e14c3203.dll Virustotal: Detection: 29% Perma Link
Source: 62724e14c3203.dll ReversingLabs: Detection: 28%
Machine Learning detection for sample
Source: 62724e14c3203.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: 62724e14c3203.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 62724e14c3203.dll String found in binary or memory: http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07
Source: 62724e14c3203.dll String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: 62724e14c3203.dll String found in binary or memory: http://pki-ocsp.symauth.com0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 62724e14c3203.dll, type: SAMPLE

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 62724e14c3203.dll, type: SAMPLE
Uses 32bit PE files
Source: 62724e14c3203.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: 62724e14c3203.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 62724e14c3203.dll Virustotal: Detection: 29%
Source: 62724e14c3203.dll ReversingLabs: Detection: 28%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\62724e14c3203.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winDLL@9/0@0/0
Source: 62724e14c3203.dll Static file information: File size 3735060 > 1048576
Source: 62724e14c3203.dll Static PE information: Raw size of .themida is bigger than: 0x100000 < 0x384000
PE file contains an invalid checksum
Source: 62724e14c3203.dll Static PE information: real checksum: 0x39f49d should be: 0x394d2c
PE file contains sections with non-standard names
Source: 62724e14c3203.dll Static PE information: section name: .exports
Source: 62724e14c3203.dll Static PE information: section name: .imports
Source: 62724e14c3203.dll Static PE information: section name: .themida
Source: 62724e14c3203.dll Static PE information: section name: .taggant
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 62724e14c3203.dll, type: SAMPLE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\loaddll32.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Windows\System32\loaddll32.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4944 Thread sleep time: -1773297476s >= -30000s Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\rundll32.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging
barindex
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Windows\SysWOW64\rundll32.exe Open window title or class name: regmonclass
Source: C:\Windows\SysWOW64\rundll32.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Windows\SysWOW64\rundll32.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Windows\SysWOW64\rundll32.exe Open window title or class name: procmon_window_class
Source: C:\Windows\SysWOW64\rundll32.exe Open window title or class name: filemonclass
Source: C:\Windows\SysWOW64\rundll32.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 62724e14c3203.dll, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 62724e14c3203.dll, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620140 Sample: 62724e14c3203.dll Startdate: 04/05/2022 Architecture: WINDOWS Score: 72 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected  Ursnif 2->26 28 Machine Learning detection for sample 2->28 7 loaddll32.exe 1 2->7         started        process3 signatures4 30 Query firmware table information (likely to detect VMs) 7->30 32 Tries to detect sandboxes / dynamic malware analysis system (registry check) 7->32 10 cmd.exe 1 7->10         started        12 regsvr32.exe 7->12         started        15 rundll32.exe 7->15         started        process5 signatures6 17 rundll32.exe 10->17         started        34 Query firmware table information (likely to detect VMs) 12->34 36 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->36 process7 signatures8 20 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->20 22 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->22
No contacted IP infos