Windows Analysis Report
c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Overview

General Information

Sample Name: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll
Analysis ID: 753126
MD5: 590d96a7be55240ad868ebec78ce38f2
SHA1: 2aaf8acb010dfe83b808d7cc77f6821aaf44f3d2
SHA256: 846a8058cda54207aebb885f99dab0eab57529eb8dd94a3d57bbde2e93c4aad4
Tags: exe
Infos:

Detection

Ursnif
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll Virustotal: Detection: 33% Perma Link
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll ReversingLabs: Detection: 21%
Antivirus detection for URL or domain
Source: https://higmon.cyou/index.htmlce Avira URL Cloud: Label: malware
Source: https://higmon.cyou/index.html Avira URL Cloud: Label: malware
Source: https://higmon.cyou/ Avira URL Cloud: Label: malware
Source: https://prises.cyou Avira URL Cloud: Label: malware
Source: https://higmon.cyou Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: higmon.cyou Virustotal: Detection: 20% Perma Link
Source: https://prises.cyou Virustotal: Detection: 18% Perma Link
Source: https://higmon.cyou/index.html Virustotal: Detection: 10% Perma Link
Source: 3.2.regsvr32.exe.ac1e00.0.raw.unpack Malware Configuration Extractor: Ursnif {"c2_domain": ["https://higmon.cyou", "https://prises.cyou"], "botnet": "202208151", "aes key": "VHpr3Unea0fVqBYc", "sleep time": "1", "request time": "10", "host keep time": "2", "host shift time": "1"}
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.8.147.179 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Domain query: higmon.cyou
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2039637 ET TROJAN Observed DNS Query to Ursnif Domain (higmon .cyou) 192.168.2.7:60326 -> 8.8.8.8:53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VMAGE-ASRU VMAGE-ASRU
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: loaddll64.exe, 00000000.00000002.587434823.0000023124120000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701616295.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701604821.000000000266E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.311124854.000002233FD80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.311225044.0000020DA3AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://higmon.cyou
Source: regsvr32.exe, 00000003.00000002.701457779.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://higmon.cyou/
Source: regsvr32.exe, 00000003.00000002.701416611.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701474761.0000000000B06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://higmon.cyou/index.html
Source: regsvr32.exe, 00000003.00000002.701416611.0000000000A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://higmon.cyou/index.htmlce
Source: regsvr32.exe, 00000003.00000002.701604821.000000000266E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://higmon.cyouhttps://prises.cyou
Source: loaddll64.exe, 00000000.00000002.587439990.0000023124122000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701620342.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.311135038.000002233FD82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.311230320.0000020DA3AA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://http://Mozilla/5.0
Source: regsvr32.exe, regsvr32.exe, 00000003.00000002.701786113.00007FFA0AE63000.00000008.00000001.01000000.00000003.sdmp, c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll String found in binary or memory: https://my.tealiumiq.com/urest/legacy/tagcompanion/getProfile?utid=
Source: loaddll64.exe, 00000000.00000002.587434823.0000023124120000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701616295.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701604821.000000000266E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.311124854.000002233FD80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.311225044.0000020DA3AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://prises.cyou
Source: unknown DNS traffic detected: queries for: higmon.cyou

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 5252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 5252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018000508C 0_2_000000018000508C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180004A14 0_2_0000000180004A14
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180003A24 0_2_0000000180003A24
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180001844 0_2_0000000180001844
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180009C54 0_2_0000000180009C54
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180006344 0_2_0000000180006344
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180005748 0_2_0000000180005748
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180002B60 0_2_0000000180002B60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180008D78 0_2_0000000180008D78
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800027D4 0_2_00000001800027D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004A14 3_2_0000000180004A14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001844 3_2_0000000180001844
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000508C 3_2_000000018000508C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006344 3_2_0000000180006344
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800027D4 3_2_00000001800027D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003A24 3_2_0000000180003A24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009C54 3_2_0000000180009C54
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005748 3_2_0000000180005748
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002B60 3_2_0000000180002B60
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D78 3_2_0000000180008D78
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000508C 4_2_000000018000508C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004A14 4_2_0000000180004A14
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003A24 4_2_0000000180003A24
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001844 4_2_0000000180001844
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009C54 4_2_0000000180009C54
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006344 4_2_0000000180006344
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180005748 4_2_0000000180005748
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002B60 4_2_0000000180002B60
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008D78 4_2_0000000180008D78
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800027D4 4_2_00000001800027D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000508C 5_2_000000018000508C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180004A14 5_2_0000000180004A14
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180003A24 5_2_0000000180003A24
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180001844 5_2_0000000180001844
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180009C54 5_2_0000000180009C54
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180006344 5_2_0000000180006344
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180005748 5_2_0000000180005748
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002B60 5_2_0000000180002B60
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180008D78 5_2_0000000180008D78
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800027D4 5_2_00000001800027D4
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError, 0_2_0000000180005CA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError, 3_2_0000000180005CA4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError, 4_2_0000000180005CA4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError, 5_2_0000000180005CA4
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll Virustotal: Detection: 33%
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll ReversingLabs: Detection: 21%
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,DllRegisterServer
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c "echo Commands" >> C:\Users\user\AppData\Local\Temp\2F60.tmp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,FgnfMvSNFULXZx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c "dir" >> C:\Users\user\AppData\Local\Temp\2F60.tmp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,KVpawdrrKTUjeZuk
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,FgnfMvSNFULXZx Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,KVpawdrrKTUjeZuk Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c "echo Commands" >> C:\Users\user\AppData\Local\Temp\2F60.tmp Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c "dir" >> C:\Users\user\AppData\Local\Temp\2F60.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1332:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_01
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\ManagerMui
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Local\Temp\2F60.tmp Jump to behavior
Source: regsvr32.exe String found in binary or memory: ute;top:50%;cursor:pointer}.ui-lightbox-nav-left{left:0}.ui-lightbox-nav-right{right:0}.ui-lightbox-loading{background:url(images/loading.gif) #000 50% no-repeat}.ui-lightbox-caption{padding:.2em .4em;display:none}.ui-lightbox-caption-text{margin:.3em 0 .1em;f
Source: regsvr32.exe String found in binary or memory: ;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}select[multiple].input-group-sm>.form-contr
Source: regsvr32.exe String found in binary or memory: cess .form-control{border-color:#3c763d;box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color
Source: regsvr32.exe String found in binary or memory: l,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn,textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn{height:auto}.input-group-a
Source: regsvr32.exe String found in binary or memory: ing:3px}.ui-terminal-input{border:0 none;background-color:transparent;color:inherit;padding:0;margin:0 0 0 2px;width:75%;outline:0;vertical-align:baseline}.ui-terminal-command{margin-left:2px;-moz-margin-start:3px}.ui-terminal-input::-ms-clear{display:none}.ui
Source: regsvr32.exe String found in binary or memory: ay:block;width:100%}.loading{position:fixed;top:0;left:0;right:0;bottom:0;background-color:#fff;background-image:url(/static/uploads/assets/images/loader.gif);background-position:50% 50%;background-repeat:no-repeat;opacity:0;visibility:hidden;z-index:100}.load
Source: regsvr32.exe String found in binary or memory: rol,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-
Source: regsvr32.exe String found in binary or memory: dius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{font-size:0;white-space:nowrap}.input-group-btn,.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:active,.input-group-btn>.btn:focus,.in
Source: regsvr32.exe String found in binary or memory: yphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphico
Source: regsvr32.exe String found in binary or memory: tn>.btn,textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30p
Source: regsvr32.exe String found in binary or memory: -vertical .slick-slide{display:block;height:auto;border:1px solid transparent}.slick-arrow.slick-hidden{display:none}.slick-loading .slick-list{background:#fff url(../static/uploads/assets/images/loader.gif) 50% no-repeat}@font-face{font-family:slick;src:url(.
Source: regsvr32.exe String found in binary or memory: :inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .checkbox,.has-error .checkbox-inline,.has-error.checkbox
Source: regsvr32.exe String found in binary or memory: addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=checkbox],.input-group-addon input[type=radio]{margin-top:0}.input-group-addon:first-c
Source: regsvr32.exe String found in binary or memory: ble;vertical-align:middle}.navbar-form .input-group .form-control,.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;
Source: regsvr32.exe String found in binary or memory: don,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-gr
Source: regsvr32.exe String found in binary or memory: datatable .ui-column-resizer{display:block;position:absolute!important;top:0;right:0;margin:0;width:8px;height:100%;padding:0;cursor:col-resize;border:1px solid transparent}.ui-datatable .ui-column-resizer-helper{width:1px;position:absolute;z-index:10;display:
Source: regsvr32.exe String found in binary or memory: up-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group
Source: regsvr32.exe String found in binary or memory: images/loader.gif);background-position:50% 50%;background-repeat:no-repeat;background-size:28px auto}.wrapper{position:relative;overflow:hidden;width:100%;height:100%;min-width:320px}.content{margin:0 auto;background-color:#fff}@media only screen and (max-widt
Source: regsvr32.exe String found in binary or memory: rgin:0;padding:0;border:0;outline:0;line-height:1.3;text-decoration:none;font-size:100%;list-style:none}.ui-helper-clearfix:after,.ui-helper-clearfix:before{content:"";display:table}.ui-helper-clearfix:after{clear:both}.ui-helper-clearfix{zoom:1}.ui-helper-zfi
Source: regsvr32.exe String found in binary or memory: ine .input-group .form-control,.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline
Source: regsvr32.exe String found in binary or memory: ,.input-group .form-control:first-child{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group-addon:last-child,.input-group-btn:first-child>.btn-group:not(:first-child)>.btn,.input-group-btn:first-chi
Source: regsvr32.exe String found in binary or memory: 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedba
Source: regsvr32.exe String found in binary or memory: y:inline-block!important}}@media print{.hidden-print{display:none!important}}.ui-helper-hidden{display:none}.ui-helper-hidden-accessible{border:0;clip:rect(0 0 0 0);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolute;width:1px}.ui-helper-reset{m
Source: regsvr32.exe String found in binary or memory: nput-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}select.input-group-lg>.form-con
Source: classification engine Classification label: mal88.troj.evad.winDLL@20/1@1/1
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800112EE push rax; ret 0_2_00000001800112EF
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000018001112F push rcx; iretd 0_2_0000000180011130
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA0AE649F8 push rbx; retf 3_2_00007FFA0AE649F9
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800112EE push rax; ret 3_2_00000001800112EF
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001112F push rcx; iretd 3_2_0000000180011130
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800112EE push rax; ret 4_2_00000001800112EF
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001112F push rcx; iretd 4_2_0000000180011130
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800112EE push rax; ret 5_2_00000001800112EF
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001112F push rcx; iretd 5_2_0000000180011130
PE file contains sections with non-standard names
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll Static PE information: section name: .sedt
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 5252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 5140 Thread sleep time: -120000s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\System32\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll64.exe API coverage: 7.5 %
Source: C:\Windows\System32\rundll32.exe API coverage: 7.5 %
Source: C:\Windows\System32\rundll32.exe API coverage: 7.5 %
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\System32\cmd.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000003.00000002.701416611.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701484036.0000000000B17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.8.147.179 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Domain query: higmon.cyou
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001800045E8 GetSystemTimeAsFileTime,LeaveCriticalSection, 0_2_00000001800045E8

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 5252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 5252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753126 Sample: c2b80b8cbd660c3208162ed596e... Startdate: 24/11/2022 Architecture: WINDOWS Score: 88 32 Snort IDS alert for network traffic 2->32 34 Multi AV Scanner detection for domain / URL 2->34 36 Antivirus detection for URL or domain 2->36 38 2 other signatures 2->38 8 loaddll64.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 dnsIp5 30 higmon.cyou 45.8.147.179, 443, 49697, 49711 VMAGE-ASRU Russian Federation 10->30 40 System process connects to network (likely due to code injection or exploit) 10->40 20 cmd.exe 1 10->20         started        22 cmd.exe 2 10->22         started        24 rundll32.exe 14->24         started        signatures6 process7 process8 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.8.147.179
 higmon.cyou Russian Federation
44676 VMAGE-ASRU true

Contacted Domains

Name IP Active
higmon.cyou 45.8.147.179 true