Windows Analysis Report
test2.dll

Overview

General Information

Sample Name: test2.dll
(renamed file extension from bin to dll, renamed because original name is a hash value)
Original Sample Name: test2.bin
Analysis ID: 828211
MD5: 69a88f93c1ec9c8ecc66b7d19fb4a9aa
SHA1: 74dca80be03ab4dcc6bac81e794b6a02b56c4574
SHA256: c825d867fb0bf1ba55b89f4bb1c6db13020792ceb175e84fac5f72cfa161726f
Infos:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: test2.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: test2.dll Virustotal: Detection: 39% Perma Link
Machine Learning detection for sample
Source: test2.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.10000000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 3.2.rundll32.exe.10000000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Uses 32bit PE files
Source: test2.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: test2.dll, type: SAMPLE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: test2.dll, type: SAMPLE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Uses 32bit PE files
Source: test2.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
PE file does not import any functions
Source: test2.dll Static PE information: No import functions for PE file found
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636
Source: test2.dll Virustotal: Detection: 39%
Source: test2.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\test2.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5092
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:488:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF153.tmp Jump to behavior
Source: classification engine Classification label: mal68.troj.winDLL@7/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075C079 push ebx; ret 3_2_0075C093
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0076AC78 push eax; iretd 3_2_0076AC79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0076A050 pushad ; ret 3_2_0076A12D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0076D25D pushfd ; ret 3_2_0076D283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0076BE4D pushad ; ret 3_2_0076BE59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0076A832 push esp; ret 3_2_0076A833
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00769022 push ebp; ret 3_2_0076902B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007662E9 push ds; ret 3_2_00766363
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00768ED0 pushad ; ret 3_2_00768ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075EAAD push edx; retf 3_2_0075EB39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075EAA8 pushad ; retf 3_2_0075EAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0076CE9D push cs; ret 3_2_0076CF13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075E975 push edi; ret 3_2_0075E98B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075CF72 push esi; ret 3_2_0075D023
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00766364 push es; ret 3_2_007663A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075A952 push esp; ret 3_2_0075A953
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075E95D push esp; ret 3_2_0075E973
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075E95A push ecx; ret 3_2_0075E95B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075C735 push es; ret 3_2_0075C75B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00769725 pushad ; ret 3_2_0076998B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075EB22 push edx; retf 3_2_0075EB39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075AB10 push edi; ret 3_2_0075AB11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075A912 push eax; ret 3_2_0075A933
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075D91C push 800075D8h; iretd 3_2_0075D921
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075C700 push 200075C7h; retn 0075h 3_2_0075C70D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075EB0F push ecx; retf 3_2_0075EB21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007663E2 push cs; ret 3_2_007663E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0076CFDD push esi; ret 3_2_0076D053
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0075E7C0 push ds; ret 3_2_0075E7C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0076B1BE pushfd ; ret 3_2_0076B27B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00760BA5 push ecx; ret 3_2_00760BBB

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: test2.dll, type: SAMPLE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: test2.dll, type: SAMPLE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: test2.dll, type: SAMPLE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828211 Sample: test2.bin Startdate: 16/03/2023 Architecture: WINDOWS Score: 68 18 Antivirus / Scanner detection for submitted sample 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected  Ursnif 2->22 24 Machine Learning detection for sample 2->24 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 conhost.exe 8->12         started        process5 14 rundll32.exe 10->14         started        process6 16 WerFault.exe 24 9 14->16         started       
No contacted IP infos