Windows Analysis Report
62835e34e60c1.dll

Overview

General Information

Sample Name:	62835e34e60c1.dll
Analysis ID:	628111
MD5:	5572213d17be7de71f36fa68eb6808a8
SHA1:	5e8b27d57f6c9dc02cf2e30d47f8ed439f0fa20e
SHA256:	f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
Tags:	DHLdllgoziisfbitalyursnif
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Found API chain indicative of debugger detection

Machine Learning detection for sample

Found evasive API chain (may stop execution after checking system information)

Writes registry values via WMI

Uses 32bit PE files

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Found evasive API chain checking for process token information

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Found malware configuration

Source: 3.2.rundll32.exe.400000.0.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Multi AV Scanner detection for submitted file

Source: 62835e34e60c1.dll	Virustotal: Detection: 28%			Perma Link
Source: 62835e34e60c1.dll	ReversingLabs: Detection: 29%

Antivirus detection for URL or domain

Source: http://185.189.151.70/drew/aaJEUlLh_/2FLHWWSII4z5Zv8IHOi1/CMWvnEAIAbago4IEJQ4/RXWAE

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: 62835e34e60c1.dll

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

3_2_00CB5FBB

Uses 32bit PE files

Source: 62835e34e60c1.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:

Binary string: uwGXyM.pdb source: loaddll32.exe, 00000001.00000000.379008516.00000000006BD000.00000002.00000001.01000000.00000003.sdmp, 62835e34e60c1.dll

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.28 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.70 80			Jump to behavior

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49772 -> 13.107.43.16:80

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.6:49764 -> 185.189.151.28:80
Source: global traffic	TCP traffic: 192.168.2.6:49808 -> 185.189.151.70:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
Source: Joe Sandbox View	ASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.189.151.28 185.189.151.28

Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.70
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.70
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.70

Source: rundll32.exe, 00000003.00000002.768863780.000000000452B000.00000004.00000010.00020000.00000000.sdmp

String found in binary or memory: http://185.189.151.70/drew/aaJEUlLh_/2FLHWWSII4z5Zv8IHOi1/CMWvnEAIAbago4IEJQ4/RXWAE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB1CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,

3_2_00CB1CA5

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000001.00000002.454356827.00000000009CB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

3_2_00CB5FBB

System Summary

Writes registry values via WMI

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 62835e34e60c1.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 400

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402274	3_2_00402274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB829C	3_2_00CB829C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB1645	3_2_00CB1645
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB4BF1	3_2_00CB4BF1

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402067 NtMapViewOfSection,	3_2_00402067
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00401000 NtCreateSection,memset,	3_2_00401000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00401308 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	3_2_00401308
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402495 NtQueryVirtualMemory,	3_2_00402495
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_00CB4321
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB84C1 NtQueryVirtualMemory,	3_2_00CB84C1

Sample file is different than original file name gathered from version info

Source: 62835e34e60c1.dll

Binary or memory string: OriginalFilenamemyfile.exe$ vs 62835e34e60c1.dll

PE file contains strange resources

Source: 62835e34e60c1.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 62835e34e60c1.dll	Virustotal: Detection: 28%
Source: 62835e34e60c1.dll	ReversingLabs: Detection: 29%

Source: 62835e34e60c1.dll

Static PE information: Section: .text IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 400
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 408
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 436
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB41C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@8/12@0/3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB68BD CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_00CB68BD

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7012

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:

Binary string: uwGXyM.pdb source: loaddll32.exe, 00000001.00000000.379008516.00000000006BD000.00000002.00000001.01000000.00000003.sdmp, 62835e34e60c1.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402263 push ecx; ret	3_2_00402273
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402210 push ecx; ret	3_2_00402219
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB828B push ecx; ret	3_2_00CB829B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB7EA0 push ecx; ret	3_2_00CB7EA9

PE file contains sections with non-standard names

Source: 62835e34e60c1.dll

Static PE information: section name: .erloc

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_004015E3 LoadLibraryA,GetProcAddress,

3_2_004015E3

PE file contains an invalid checksum

Source: 62835e34e60c1.dll

Static PE information: real checksum: 0x79835 should be: 0x6cbe1

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\SysWOW64\rundll32.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_004015E3 LoadLibraryA,GetProcAddress,

3_2_004015E3

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.28 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.70 80			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB3365 cpuid

3_2_00CB3365

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00401C83 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

3_2_00401C83

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_004010C4 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

3_2_004010C4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB3365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_00CB3365

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.189.151.70	unknown	Switzerland		51395	AS-SOFTPLUSCH	true
185.189.151.28	unknown	Switzerland		51395	AS-SOFTPLUSCH	true

Private

IP
192.168.2.1

AV Detection

Found malware configuration

Source: 3.2.rundll32.exe.400000.0.unpack

Multi AV Scanner detection for submitted file

Source: 62835e34e60c1.dll	Virustotal: Detection: 28%			Perma Link
Source: 62835e34e60c1.dll	ReversingLabs: Detection: 29%

Antivirus detection for URL or domain

Source: http://185.189.151.70/drew/aaJEUlLh_/2FLHWWSII4z5Zv8IHOi1/CMWvnEAIAbago4IEJQ4/RXWAE

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: 62835e34e60c1.dll

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

3_2_00CB5FBB

Uses 32bit PE files

Source: 62835e34e60c1.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:

Binary string: uwGXyM.pdb source: loaddll32.exe, 00000001.00000000.379008516.00000000006BD000.00000002.00000001.01000000.00000003.sdmp, 62835e34e60c1.dll

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.28 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.70 80			Jump to behavior

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49772 -> 13.107.43.16:80

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.6:49764 -> 185.189.151.28:80
Source: global traffic	TCP traffic: 192.168.2.6:49808 -> 185.189.151.70:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
Source: Joe Sandbox View	ASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.189.151.28 185.189.151.28

Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.70
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.70
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.70

Source: rundll32.exe, 00000003.00000002.768863780.000000000452B000.00000004.00000010.00020000.00000000.sdmp

String found in binary or memory: http://185.189.151.70/drew/aaJEUlLh_/2FLHWWSII4z5Zv8IHOi1/CMWvnEAIAbago4IEJQ4/RXWAE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB1CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,

3_2_00CB1CA5

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000001.00000002.454356827.00000000009CB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

3_2_00CB5FBB

System Summary

Writes registry values via WMI

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 62835e34e60c1.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 400

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402274	3_2_00402274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB829C	3_2_00CB829C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB1645	3_2_00CB1645
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB4BF1	3_2_00CB4BF1

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402067 NtMapViewOfSection,	3_2_00402067
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00401000 NtCreateSection,memset,	3_2_00401000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00401308 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	3_2_00401308
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402495 NtQueryVirtualMemory,	3_2_00402495
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_00CB4321
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB84C1 NtQueryVirtualMemory,	3_2_00CB84C1

Sample file is different than original file name gathered from version info

Source: 62835e34e60c1.dll

Binary or memory string: OriginalFilenamemyfile.exe$ vs 62835e34e60c1.dll

PE file contains strange resources

Source: 62835e34e60c1.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 62835e34e60c1.dll	Virustotal: Detection: 28%
Source: 62835e34e60c1.dll	ReversingLabs: Detection: 29%

Source: 62835e34e60c1.dll

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 400
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 408
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 436
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB41C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@8/12@0/3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB68BD CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_00CB68BD

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7012

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:

Binary string: uwGXyM.pdb source: loaddll32.exe, 00000001.00000000.379008516.00000000006BD000.00000002.00000001.01000000.00000003.sdmp, 62835e34e60c1.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402263 push ecx; ret	3_2_00402273
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402210 push ecx; ret	3_2_00402219
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB828B push ecx; ret	3_2_00CB829B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00CB7EA0 push ecx; ret	3_2_00CB7EA9

PE file contains sections with non-standard names

Source: 62835e34e60c1.dll

Static PE information: section name: .erloc

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_004015E3 LoadLibraryA,GetProcAddress,

3_2_004015E3

PE file contains an invalid checksum

Source: 62835e34e60c1.dll

Static PE information: real checksum: 0x79835 should be: 0x6cbe1

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\SysWOW64\rundll32.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_004015E3 LoadLibraryA,GetProcAddress,

3_2_004015E3

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.28 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.70 80			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB3365 cpuid

3_2_00CB3365

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00401C83 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

3_2_00401C83

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_004010C4 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

3_2_004010C4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00CB3365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_00CB3365

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.769433826.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409166204.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409046116.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.408598327.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49e94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.769302653.00000000049E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

ID:	628111
Product:	CloudBasic
Start time:	10:56:45
Start date:	17.05.2022
Sample:	62835e34e60c1.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5572213d17be7de71f36fa68eb6808a8
SHA1:	5e8b27d57f6c9dc02cf2e30d47f8ed439f0fa20e
SHA256:	f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_99e41d792528612ced890929ed2335749e1b7_7cac0383_0c9233db\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	765ABBA6C1660E911C54330A7BC1606F	E3376463E7F382EC0C345788F105D15C30BC2987	C408348921E14A33A4213937A6E97F7C6D0455E8092E5BF88F0CD8EDD8C4B60C
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_b48bc1255c8639c941b68601e9389dc647932d2_7cac0383_190a0077\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	7D5CDADEA445D9FC80F3C13462755C58	0801623B83DCF91DEFF26BF39AFC4356CB62C2E7	655C3E14724676AD2FB212AA4B58FAB14CFFB44B9549B560AB1F05F3D1D5855C
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_cb7b105113bf417cfd7547dda3de839a49ae23_7cac0383_05f1cc86\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	C3EDDDA902C0A9EB58F7A8088BBC0654	6235DF8E9B1704627AF3CD10857399394ADBBF5F	7EBA5EEB36AB7086F59A397DF3E4FDF32085CEC5F3929858648A0673DC550119
C:\ProgramData\Microsoft\Windows\WER\Temp\WER150A.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	E8BC5D3AF4FF0FE23D838738B13F56F9	6A924900D3833090E57DDE40B0CD4B7EBA650D60	2741B81315AB5E1DB21A0AE15AB78AC2D9F3770B440DA330AF145EE624034744
C:\ProgramData\Microsoft\Windows\WER\Temp\WER20C3.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	61AE258A83B79F03B5D4686B81BF3C78	C10E2BA375AAE565073FBF01F6A119FBEDF026BC	CA4FB2889B03A7E961E0A1612A5973326AB83F3CC4DBE7843CA03BFAFEF95ABC
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB41C.tmp.dmp	Mini DuMP crash report, 15 streams, Tue May 17 17:58:04 2022, 0x1205a4 type	321951AD431A22ECB02EC4C832337B0F	899351B6A09EAAB03C6530421F8FBA9E8D404ABC	670CE2681CA71E7DC314175F0BC65E67B0D3D166BD27895B3E947D432B91E8F6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB73.tmp.dmp	Mini DuMP crash report, 15 streams, Tue May 17 17:58:26 2022, 0x1205a4 type	BAD8D6ECD0F042F5983B68752F3A24E6	F5BD68A8FA65BF71E2611E035C98148BA2340518	B7E0DEA36E791094438C940D435A2AF06CDD7A1F456A0F2F9F4EB6536F16BD3B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBBE.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	00F02820FA5568092CDDA377BEDE9E8B	D2FDCEC39887814BA0066857D0F49A0C6FD52086	82C2D7DE8D4A309D18F6F8A79DAAACF86F0CBC25E6925CF8709B35C6999BFB5D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4B8.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1335CE8EDCDBDFE5A328FAF185FF5A01	DA1A80FB00F6779880E5288D7AF626524940878D	A3CB996D41C8D306D585F0341A1196C21D66C21F2A3397087602F476C6FA7489
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE28F.tmp.dmp	Mini DuMP crash report, 15 streams, Tue May 17 17:58:16 2022, 0x1205a4 type	102E4EC10D7F33243C895BDBB8871D5B	222F72EA0B61B9B144450C6E1D77E280920F8463	9801DF46E16FF2617F44FFAE37CF38B434E6C0597F49EAC4E163E2076336B6B1
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE908.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	6998C94DAD75CFD4AE57B64851BFEE5A	DDC4E1A9FD39F46DA4E7BC8EAEAB9CEDD7B7275C	FA08358DE1023D4778B0D08CEC9BE6C670645A93DCDCC3C73DF31EDA02DDF9CF
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF72.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9B741B1FF771D0D7427B36E6630DB971	6A359A19A5F4C8217B2BD276BF577F8AB67E20C8	C16E4AA0467BB288E9B7A8E23AF9E084923127F13B777A94E995389FDAD54E5E

Windows Analysis Report
62835e34e60c1.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report 62835e34e60c1.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
62835e34e60c1.dll