Windows Analysis Report
pzG0rkIchr.dll

Overview

General Information

Sample Name: pzG0rkIchr.dll
Analysis ID: 752975
MD5: d6ef4778f7dc9c31a0a2a989ef42d2fd
SHA1: 5dad8394ef37d5a006674589754f7a3187d303b1
SHA256: 54de1f2c26a63a8f6b7f8d5de99f8ebd4093959ab07f027db1985d0652258736
Tags: exeLDR4
Infos:

Detection

Ursnif
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Performs DNS queries to domains with low reputation
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Checks if the current process is being debugged
Registers a DLL
Launches processes in debugging mode, may be used to hinder debugging
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: pzG0rkIchr.dll Virustotal: Detection: 57% Perma Link
Source: pzG0rkIchr.dll ReversingLabs: Detection: 73%
Antivirus detection for URL or domain
Source: https://reaso.xyz Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: gigimas.xyz Virustotal: Detection: 14% Perma Link
Source: https://gigimas.xyz Virustotal: Detection: 11% Perma Link
Source: 4.3.rundll32.exe.17b359400d0.0.raw.unpack Malware Configuration Extractor: Ursnif {"c2_domain": ["https://gigimas.xyz", "https://reaso.xyz"], "botnet": "202206061", "aes key": "eq2opFFpGzpd2p9t", "sleep time": "20", "request time": "30", "host keep time": "120", "host shift time": "120"}
Source: pzG0rkIchr.dll Static PE information: certificate valid
Source: pzG0rkIchr.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 0000000D.00000003.359316080.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370137520.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb"V source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: elbase.pdb source: WerFault.exe, 0000000D.00000002.379074933.000001EA8D552000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.375077557.000001EA8FE90000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.373102112.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359276516.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000D.00000003.371722395.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359287144.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb6V source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.359149665.000001EA8F2E4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359079833.000001EA8F379000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb!V source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000D.00000003.373102112.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359276516.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000D.00000003.359316080.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370137520.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000D.00000003.371722395.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359287144.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000000D.00000003.375077557.000001EA8FE90000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130EFB70 FindFirstFileExA, 0_2_00007FFC130EFB70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130EFB70 FindFirstFileExA, 3_2_00007FFC130EFB70
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130EFB70 FindFirstFileExA, 8_2_00007FFC130EFB70

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.250.148.35 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Domain query: gigimas.xyz
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:61007 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:60686 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:61124 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:59444 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:55570 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:64906 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:59446 -> 8.8.8.8:53
Performs DNS queries to domains with low reputation
Source: C:\Windows\System32\regsvr32.exe DNS query: gigimas.xyz
Source: C:\Windows\System32\regsvr32.exe DNS query: gigimas.xyz
Source: C:\Windows\System32\regsvr32.exe DNS query: gigimas.xyz
Source: C:\Windows\System32\regsvr32.exe DNS query: gigimas.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FIRSTDC-ASRU FIRSTDC-ASRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.250.148.35 185.250.148.35
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: pzG0rkIchr.dll String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: WerFault.exe, 0000000D.00000002.379355430.000001EA8F2E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WerFault.exe, 0000000D.00000002.379355430.000001EA8F2E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: pzG0rkIchr.dll String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: pzG0rkIchr.dll String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: pzG0rkIchr.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: pzG0rkIchr.dll String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: pzG0rkIchr.dll String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: pzG0rkIchr.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: pzG0rkIchr.dll String found in binary or memory: http://ocsp.comodoca.com0
Source: pzG0rkIchr.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: loaddll64.exe, 00000000.00000003.631018067.0000020164340000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641761210.00000000021BD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641543041.00000000020E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.357258070.0000017B374A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.357488590.00000201A4290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz
Source: regsvr32.exe, 00000003.00000003.466330233.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.596495160.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.595788178.0000000000815000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.531293534.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641484903.0000000000813000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.596407001.0000000000813000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641359278.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.466249755.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/
Source: regsvr32.exe, 00000003.00000003.466330233.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.596506826.000000000078D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.596495160.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.531293534.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641359278.00000000007E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.html
Source: regsvr32.exe, 00000003.00000003.596495160.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641359278.00000000007E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.html5F
Source: regsvr32.exe, 00000003.00000003.466312748.00000000007DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.html9Pu/Jl
Source: regsvr32.exe, 00000003.00000002.641214444.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.596466270.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.531265696.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.htmlT
Source: regsvr32.exe, 00000003.00000002.641004710.0000000000785000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.htmlm
Source: regsvr32.exe, 00000003.00000003.531293534.00000000007E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz:443/index.html
Source: regsvr32.exe, 00000003.00000003.596495160.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641359278.00000000007E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz:443/index.htmlY_
Source: regsvr32.exe, 00000003.00000002.641761210.00000000021BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyzhttps://reaso.xyz
Source: loaddll64.exe, 00000000.00000003.631032238.0000020164342000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641554871.00000000020E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.357262173.0000017B374A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.357492545.00000201A4292000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://http://Mozilla/5.0
Source: regsvr32.exe, 00000003.00000002.641761210.00000000021BD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641543041.00000000020E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.357258070.0000017B374A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.357488590.00000201A4290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reaso.xyz
Source: pzG0rkIchr.dll String found in binary or memory: https://sectigo.com/CPS0
Source: unknown DNS traffic detected: queries for: gigimas.xyz

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 1556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5264, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 1556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5264, type: MEMORYSTR
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6044 -s 276
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C37E0 0_2_00000201640C37E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C6DF0 0_2_00000201640C6DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640CA918 0_2_00000201640CA918
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C4540 0_2_00000201640C4540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C5638 0_2_00000201640C5638
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C204C 0_2_00000201640C204C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C9D6C 0_2_00000201640C9D6C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C34A4 0_2_00000201640C34A4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C31C0 0_2_00000201640C31C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C3CD8 0_2_00000201640C3CD8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640C7FD4 0_2_00000201640C7FD4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E5840 0_2_00007FFC130E5840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E6D50 0_2_00007FFC130E6D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E9BA0 0_2_00007FFC130E9BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E83C0 0_2_00007FFC130E83C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130F6808 0_2_00007FFC130F6808
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E6820 0_2_00007FFC130E6820
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130FF290 0_2_00007FFC130FF290
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E42A0 0_2_00007FFC130E42A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E76E0 0_2_00007FFC130E76E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E1B10 0_2_00007FFC130E1B10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130FB370 0_2_00007FFC130FB370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130FB9B0 0_2_00007FFC130FB9B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130F75E0 0_2_00007FFC130F75E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130F1E14 0_2_00007FFC130F1E14
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E4C80 0_2_00007FFC130E4C80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E90B0 0_2_00007FFC130E90B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130EDCAC 0_2_00007FFC130EDCAC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E5CC0 0_2_00007FFC130E5CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130FF8F0 0_2_00007FFC130FF8F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130F98F0 0_2_00007FFC130F98F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E1520 0_2_00007FFC130E1520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130F8D50 0_2_00007FFC130F8D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC13100D70 0_2_00007FFC13100D70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130EF964 0_2_00007FFC130EF964
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00739D6C 3_2_00739D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00735638 3_2_00735638
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007337E0 3_2_007337E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00733CD8 3_2_00733CD8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007331C0 3_2_007331C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00734540 3_2_00734540
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073204C 3_2_0073204C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073A918 3_2_0073A918
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00736DF0 3_2_00736DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00737FD4 3_2_00737FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007334A4 3_2_007334A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E5840 3_2_00007FFC130E5840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130F75E0 3_2_00007FFC130F75E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E6D50 3_2_00007FFC130E6D50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E9BA0 3_2_00007FFC130E9BA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E83C0 3_2_00007FFC130E83C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130F6808 3_2_00007FFC130F6808
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E6820 3_2_00007FFC130E6820
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130FF290 3_2_00007FFC130FF290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E42A0 3_2_00007FFC130E42A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E76E0 3_2_00007FFC130E76E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E1B10 3_2_00007FFC130E1B10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130FB370 3_2_00007FFC130FB370
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130FB9B0 3_2_00007FFC130FB9B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130F1E14 3_2_00007FFC130F1E14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E4C80 3_2_00007FFC130E4C80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E90B0 3_2_00007FFC130E90B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130EDCAC 3_2_00007FFC130EDCAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E5CC0 3_2_00007FFC130E5CC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130FF8F0 3_2_00007FFC130FF8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130F98F0 3_2_00007FFC130F98F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130E1520 3_2_00007FFC130E1520
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130F8D50 3_2_00007FFC130F8D50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC13100D70 3_2_00007FFC13100D70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130EF964 3_2_00007FFC130EF964
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E37E0 4_2_0000017B359E37E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E34A4 4_2_0000017B359E34A4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E3CD8 4_2_0000017B359E3CD8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E7FD4 4_2_0000017B359E7FD4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E31C0 4_2_0000017B359E31C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E6DF0 4_2_0000017B359E6DF0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359EA918 4_2_0000017B359EA918
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E5638 4_2_0000017B359E5638
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E204C 4_2_0000017B359E204C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E4540 4_2_0000017B359E4540
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359E9D6C 4_2_0000017B359E9D6C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A37E0 5_2_00000201A29A37E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A9D6C 5_2_00000201A29A9D6C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A31C0 5_2_00000201A29A31C0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A34A4 5_2_00000201A29A34A4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A7FD4 5_2_00000201A29A7FD4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A3CD8 5_2_00000201A29A3CD8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A6DF0 5_2_00000201A29A6DF0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29AA918 5_2_00000201A29AA918
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A4540 5_2_00000201A29A4540
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A5638 5_2_00000201A29A5638
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29A204C 5_2_00000201A29A204C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E9BA0 8_2_00007FFC130E9BA0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E83C0 8_2_00007FFC130E83C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130F6808 8_2_00007FFC130F6808
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E6820 8_2_00007FFC130E6820
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E5840 8_2_00007FFC130E5840
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130FF290 8_2_00007FFC130FF290
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E42A0 8_2_00007FFC130E42A0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E76E0 8_2_00007FFC130E76E0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E1B10 8_2_00007FFC130E1B10
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130FB370 8_2_00007FFC130FB370
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130FB9B0 8_2_00007FFC130FB9B0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130F75E0 8_2_00007FFC130F75E0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130F1E14 8_2_00007FFC130F1E14
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E4C80 8_2_00007FFC130E4C80
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E90B0 8_2_00007FFC130E90B0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130EDCAC 8_2_00007FFC130EDCAC
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E5CC0 8_2_00007FFC130E5CC0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130FF8F0 8_2_00007FFC130FF8F0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130F98F0 8_2_00007FFC130F98F0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E1520 8_2_00007FFC130E1520
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130E6D50 8_2_00007FFC130E6D50
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130F8D50 8_2_00007FFC130F8D50
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC13100D70 8_2_00007FFC13100D70
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130EF964 8_2_00007FFC130EF964
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000201640CA0AC CreateFileW,NtQueryDirectoryFile, 0_2_00000201640CA0AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073A0AC CreateFileW,NtQueryDirectoryFile, 3_2_0073A0AC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000017B359EA0AC CreateFileW,NtQueryDirectoryFile, 4_2_0000017B359EA0AC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000201A29AA0AC CreateFileW,NtQueryDirectoryFile, 5_2_00000201A29AA0AC
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: pzG0rkIchr.dll Virustotal: Detection: 57%
Source: pzG0rkIchr.dll ReversingLabs: Detection: 73%
Source: pzG0rkIchr.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pzG0rkIchr.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pzG0rkIchr.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,ItsnPq5v
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,QlqYo259k
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6044 -s 276
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6136 -s 304
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6136 -s 304
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pzG0rkIchr.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,ItsnPq5v Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,QlqYo259k Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6136 -s 304 Jump to behavior
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC43.tmp Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@19/8@4/2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6044
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_01
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\ManagerMui
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6136
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: pzG0rkIchr.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: pzG0rkIchr.dll Static PE information: certificate valid
Source: pzG0rkIchr.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: pzG0rkIchr.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 0000000D.00000003.359316080.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370137520.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb"V source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: elbase.pdb source: WerFault.exe, 0000000D.00000002.379074933.000001EA8D552000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.375077557.000001EA8FE90000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.373102112.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359276516.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000D.00000003.371722395.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359287144.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb6V source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.359149665.000001EA8F2E4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359079833.000001EA8F379000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb!V source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000D.00000003.373102112.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359276516.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000D.00000003.359316080.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370137520.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000D.00000003.371722395.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359287144.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000000D.00000003.375077557.000001EA8FE90000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130FB9B0 LoadLibraryA,GetProcAddress, 0_2_00007FFC130FB9B0
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pzG0rkIchr.dll

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 1556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5264, type: MEMORYSTR
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 1568 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2516 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2768 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 3.7 %
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130EFB70 FindFirstFileExA, 0_2_00007FFC130EFB70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130EFB70 FindFirstFileExA, 3_2_00007FFC130EFB70
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130EFB70 FindFirstFileExA, 8_2_00007FFC130EFB70
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: WerFault.exe, 0000000D.00000003.376776710.000001EA8F378000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.376906678.000001EA8F37C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqCWW
Source: regsvr32.exe, 00000003.00000002.641033491.000000000078E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.596506826.000000000078D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: WerFault.exe, 0000000D.00000003.378482368.000001EA8F388000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.379511936.000001EA8F368000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: regsvr32.exe, 00000003.00000003.466330233.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.596495160.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.531293534.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.401143685.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641359278.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000002.379494368.000001EA8F35C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.378323908.000001EA8F35C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000003.00000003.466330233.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.596495160.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.531293534.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.401143685.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.641359278.00000000007E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWa[g6
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130EBC0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFC130EBC0C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130FB9B0 LoadLibraryA,GetProcAddress, 0_2_00007FFC130FB9B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130E2380 GetProcessHeap,HeapAlloc,CreateFileA,TryEnterCriticalSection, 0_2_00007FFC130E2380
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6136 -s 304 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130EBC0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFC130EBC0C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130EE374 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFC130EE374
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130F6DA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FFC130F6DA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130EBC0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFC130EBC0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130EE374 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFC130EE374
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFC130F6DA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFC130F6DA4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130EBC0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFC130EBC0C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130EE374 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFC130EE374
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFC130F6DA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FFC130F6DA4

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.250.148.35 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Domain query: gigimas.xyz
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6136 -s 304 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130F65F0 cpuid 0_2_00007FFC130F65F0
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130FED60 CreateNamedPipeA, 0_2_00007FFC130FED60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC130EBB08 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FFC130EBB08

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 1556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5264, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 1556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5264, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 752975 Sample: pzG0rkIchr.dll Startdate: 24/11/2022 Architecture: WINDOWS Score: 92 31 Snort IDS alert for network traffic 2->31 33 Multi AV Scanner detection for domain / URL 2->33 35 Antivirus detection for URL or domain 2->35 37 2 other signatures 2->37 7 loaddll64.exe 1 2->7         started        process3 process4 9 regsvr32.exe 7->9         started        13 rundll32.exe 7->13         started        15 cmd.exe 1 7->15         started        17 3 other processes 7->17 dnsIp5 27 gigimas.xyz 185.250.148.35, 443, 49713, 49714 FIRSTDC-ASRU Russian Federation 9->27 29 192.168.2.1 unknown unknown 9->29 39 System process connects to network (likely due to code injection or exploit) 9->39 41 Performs DNS queries to domains with low reputation 9->41 19 WerFault.exe 9 13->19         started        21 WerFault.exe 13->21         started        23 rundll32.exe 15->23         started        25 WerFault.exe 21 9 17->25         started        signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.250.148.35
 gigimas.xyz Russian Federation
48430 FIRSTDC-ASRU true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
gigimas.xyz 185.250.148.35 true