Windows Analysis Report
BJp3aUvrt9

Overview

General Information

Sample Name: BJp3aUvrt9 (renamed file extension from none to dll)
Analysis ID: 628121
MD5: 9046f78804227bd742d558325fa8f4c0
SHA1: 37ddabb88b909290e1da368f275448a880887482
SHA256: e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d
Tags: dll
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: 2.2.rundll32.exe.8f0000.0.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Source: BJp3aUvrt9.dll ReversingLabs: Detection: 31%
Source: http://185.189.151.28/ Avira URL Cloud: Label: malware
Source: http://185.189.151.28/drew/Gno4E_2Fz/JYCqWA_2FqMmY1RZwoiB/wugIArNn94bFR0HD9u1/3DvnzuRELDO66MgbIMgnTX Avira URL Cloud: Label: malware
Source: http://185.189.151.70/? Avira URL Cloud: Label: malware
Source: http://185.189.151.70/ Avira URL Cloud: Label: malware
Source: BJp3aUvrt9.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 2_2_010F5FBB
Source: BJp3aUvrt9.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.262732571.000000000085D000.00000002.00000001.01000000.00000003.sdmp, BJp3aUvrt9.dll

Networking

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.189.151.28 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.189.151.70 80 Jump to behavior
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 13.107.42.16:80
Source: global traffic TCP traffic: 192.168.2.3:49755 -> 185.189.151.28:80
Source: global traffic TCP traffic: 192.168.2.3:49825 -> 185.189.151.70:80
Source: Joe Sandbox View ASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
Source: Joe Sandbox View IP Address: 185.189.151.28 185.189.151.28
Source: unknown TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown TCP traffic detected without corresponding DNS query: 185.189.151.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.189.151.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.189.151.70
Source: rundll32.exe, 00000002.00000002.784882231.00000000010DC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.18
Source: rundll32.exe, 00000002.00000002.784730150.0000000000A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.189.151.28/
Source: rundll32.exe, 00000002.00000002.784730150.0000000000A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.189.151.28/drew/Gno4E_2Fz/JYCqWA_2FqMmY1RZwoiB/wugIArNn94bFR0HD9u1/3DvnzuRELDO66MgbIMgnTX
Source: rundll32.exe, 00000002.00000002.784646579.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.784730150.0000000000A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.189.151.70/
Source: rundll32.exe, 00000002.00000002.784730150.0000000000A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.189.151.70/?
Source: rundll32.exe, 00000002.00000002.784646579.0000000000A49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.189.151.70/drew/1TloxXPDggvUU7SO132dXHA/UogwcX8C6t/D9_2FjX0SVQAwUvNJ/ygMnY8n2kRf7/6ETlzT9
Source: rundll32.exe, 00000002.00000002.784646579.0000000000A49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.edge.skype.com/drew/qzdAP1F4C_/2FVSRXifD6LesfvXQ/eiTPfMcJsPzH/EhN9_2BOs9N/TNtCRj3BFJm7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F1CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError, 2_2_010F1CA5

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 00000002.00000003.364421717.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364070986.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364312063.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364235828.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364148388.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364394991.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364278031.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364350159.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.785582568.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: 2.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.785174567.00000000049C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

barindex
Source: Yara match File source: 00000002.00000003.364421717.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364070986.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364312063.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364235828.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364148388.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364394991.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364278031.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364350159.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.785582568.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: 2.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.785174567.00000000049C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 2_2_010F5FBB

System Summary

barindex
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: BJp3aUvrt9.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 388
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F2274 2_2_008F2274
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F4BF1 2_2_010F4BF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F1645 2_2_010F1645
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F829C 2_2_010F829C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F1308 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 2_2_008F1308
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F1000 GetProcAddress,NtCreateSection,memset, 2_2_008F1000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F2067 NtMapViewOfSection, 2_2_008F2067
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F2495 NtQueryVirtualMemory, 2_2_008F2495
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 2_2_010F4321
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F84C1 NtQueryVirtualMemory, 2_2_010F84C1
Source: BJp3aUvrt9.dll Binary or memory string: OriginalFilenamemyfile.exe$ vs BJp3aUvrt9.dll
Source: BJp3aUvrt9.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BJp3aUvrt9.dll ReversingLabs: Detection: 31%
Source: BJp3aUvrt9.dll Static PE information: Section: .text IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 388
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 396
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 424
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD7E.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@8/12@0/2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F68BD CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 2_2_010F68BD
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll",#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6424
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.262732571.000000000085D000.00000002.00000001.01000000.00000003.sdmp, BJp3aUvrt9.dll
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F2210 push ecx; ret 2_2_008F2219
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F2263 push ecx; ret 2_2_008F2273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F828B push ecx; ret 2_2_010F829B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F7EA0 push ecx; ret 2_2_010F7EA9
Source: BJp3aUvrt9.dll Static PE information: section name: .erloc
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F15E3 LoadLibraryA,GetProcAddress, 2_2_008F15E3
Source: BJp3aUvrt9.dll Static PE information: real checksum: 0x79835 should be: 0x6caa0

Hooking and other Techniques for Hiding and Protection

barindex
Source: Yara match File source: 00000002.00000003.364421717.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364070986.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364312063.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364235828.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364148388.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364394991.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364278031.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364350159.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.785582568.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: 2.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.785174567.00000000049C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: rundll32.exe, 00000002.00000002.784646579.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.784730150.0000000000A76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F15E3 LoadLibraryA,GetProcAddress, 2_2_008F15E3
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.189.151.28 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.189.151.70 80 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F3365 cpuid 2_2_010F3365
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F1C83 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 2_2_008F1C83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_008F10C4 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 2_2_008F10C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_010F3365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 2_2_010F3365

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000002.00000003.364421717.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364070986.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364312063.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364235828.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364148388.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364394991.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364278031.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364350159.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.785582568.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: 2.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.785174567.00000000049C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 00000002.00000003.364421717.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364070986.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364312063.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364235828.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364148388.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364394991.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364278031.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.364350159.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.785582568.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: 2.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.10f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.49c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.785174567.00000000049C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs