Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
62724e14c3203.dll

Overview

General Information

Sample Name:62724e14c3203.dll
Analysis ID:620140
MD5:d8b1d46801506b84938f864365bc7c81
SHA1:af58e06fafcf944e800ac5029b5a40ce5326db3e
SHA256:ac633cc57571ff54a72dd8cac9236cddef488af8074e08a3b17b53983d3f0733
Tags:dllenelenelenergiagoziisfbitaursnif
Infos:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Tries to detect sandboxes and other dynamic analysis tools (window names)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
Uses 32bit PE files
PE file contains an invalid checksum
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Contains capabilities to detect virtual machines
Registers a DLL
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections

Classification

  • System is w10x64
  • loaddll32.exe (PID: 2472 cmdline: loaddll32.exe "C:\Users\user\Desktop\62724e14c3203.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4760 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4612 cmdline: rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3556 cmdline: regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 1340 cmdline: rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
62724e14c3203.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 62724e14c3203.dllVirustotal: Detection: 29%Perma Link
    Source: 62724e14c3203.dllReversingLabs: Detection: 28%
    Source: 62724e14c3203.dllJoe Sandbox ML: detected
    Source: 62724e14c3203.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: 62724e14c3203.dllString found in binary or memory: http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07
    Source: 62724e14c3203.dllString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
    Source: 62724e14c3203.dllString found in binary or memory: http://pki-ocsp.symauth.com0

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE
    Source: 62724e14c3203.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: 62724e14c3203.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 62724e14c3203.dllVirustotal: Detection: 29%
    Source: 62724e14c3203.dllReversingLabs: Detection: 28%
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\62724e14c3203.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServerJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1Jump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winDLL@9/0@0/0
    Source: 62724e14c3203.dllStatic file information: File size 3735060 > 1048576
    Source: 62724e14c3203.dllStatic PE information: Raw size of .themida is bigger than: 0x100000 < 0x384000
    Source: 62724e14c3203.dllStatic PE information: real checksum: 0x39f49d should be: 0x394d2c
    Source: 62724e14c3203.dllStatic PE information: section name: .exports
    Source: 62724e14c3203.dllStatic PE information: section name: .imports
    Source: 62724e14c3203.dllStatic PE information: section name: .themida
    Source: 62724e14c3203.dllStatic PE information: section name: .taggant
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE
    Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\System32\loaddll32.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Windows\System32\loaddll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4944Thread sleep time: -1773297476s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll32.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior

    Anti Debugging

    barindex
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: regmonclass
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: procmon_window_class
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: filemonclass
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1Jump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1
    DLL Side-Loading
    11
    Process Injection
    1
    Regsvr32
    OS Credential Dumping31
    Security Software Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Rundll32
    LSASS Memory221
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)221
    Virtualization/Sandbox Evasion
    Security Account Manager2
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Software Packing
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
    Process Injection
    LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    DLL Side-Loading
    Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.