Windows Analysis Report
unpacked (1).dll

Overview

General Information

Sample Name: unpacked (1).dll
(renamed file extension from bin to dll, renamed because original name is a hash value)
Original Sample Name: unpacked (1).bin
Analysis ID: 828171
MD5: 895004ddaa3758ac453d73e3d8c1f45f
SHA1: 0fb1a2c06513134ff699f4f286a71f1671918180
SHA256: 74ef237a5145c0d85ee7575c283493a2bd0ae116590c06749cf1ed72f655b997
Infos:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Checks if the current process is being debugged
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: unpacked (1).dll Avira: detected
Source: unpacked (1).dll ReversingLabs: Detection: 43%
Source: unpacked (1).dll Virustotal: Detection: 37% Perma Link
Source: unpacked (1).dll Joe Sandbox ML: detected
Source: 0.2.loaddll32.exe.10000000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 3.2.rundll32.exe.10000000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: unpacked (1).dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: unpacked (1).dll, type: SAMPLE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE

E-Banking Fraud

barindex
Source: Yara match File source: unpacked (1).dll, type: SAMPLE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: unpacked (1).dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unpacked (1).dll Static PE information: No import functions for PE file found
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 644
Source: unpacked (1).dll ReversingLabs: Detection: 43%
Source: unpacked (1).dll Virustotal: Detection: 37%
Source: unpacked (1).dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\unpacked (1).dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 644
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5144
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9984.tmp Jump to behavior
Source: classification engine Classification label: mal68.troj.winDLL@7/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: Yara match File source: unpacked (1).dll, type: SAMPLE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.dr Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.5.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1 Jump to behavior
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: unpacked (1).dll, type: SAMPLE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

barindex
Source: Yara match File source: unpacked (1).dll, type: SAMPLE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE