=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

NdmYtW.dll

Status: finished
Submission Time: 2022-04-22 15:34:26 +02:00
Malicious
Trojan
Evader
Ursnif

Comments

Tags

  • dll

Details

  • Analysis ID:
    613876
  • API (Web) ID:
    981391
  • Analysis Started:
    2022-04-22 15:42:24 +02:00
  • Analysis Finished:
    2022-04-22 15:55:21 +02:00
  • MD5:
    f0f0659d9838d978a8b7e7391b81c801
  • SHA1:
    6adf95dab8d012a85ee4ed93f970d610ea2138bc
  • SHA256:
    f32f9fed2539cf3a6f585bc961035ccf3a03095c1f27e688f2da2811eca045f1
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
13/42

IPs

IP Country Detection
146.70.35.138
United Kingdom

URLs

Name Detection
http://146.70.35.138/phpadmin/yqCVBtpTjqi/BUOCnFz_2FQ9Q6/Ryq6_2FVcLDZFmEPKym4J/ZSIV2cDStqNq5Itu/aCSVqy9IZ_2FYMn/gy1HuII7fhtEGD3fSs/mhq0bGlYc/e1NHdmmrmU_2B1hHMDIl/GWAynNsuJSGG6XyVyGK/bQ3sc2CYQDTudJ7F7zgFxZ/TtArsuT1Etq1o/X_2BFjD5/2xRs0olUFTCo8fJjt4hQs1z/QkSmysjcNd/9Y6qrwi9B0UodRXgK/tMT7vbJ8/z.src
http://146.70.35.138/phpadmin/DO_2B54suq9uGv3bL/WcaJ8LTtzS6r/_2B2L8YYoDl/k1C6IodNv9jgnf/9g8FHqdhALJVMODlyIRig/IxM63PUvFPdfvfq2/9SzMpqq4V5UIjTW/ZByGGozk9ceileQl78/VqmnMkaMH/dmauAZ_2BL52juufO3M8/XKCTlNzlGU8e3i9RF_2/FCeeyEtI_2B_2B3oimwxkJ/7tESJGJVusqss/o_2FcLN6/1ty6v0xs0WmjPN_2FH9HK5Z/x2MDCyEEKo/qQ_2B.src
http://146.70.35.138/phpadmin/Um963rWMEUv_2FQUj/C4B8aEFv190w/A5TajDjMaUf/jFq7m82I_2FfW0/xfk4dUQFJptIVQ8QijyxZ/Rnxe9nLPzUagnEWj/ByIDCYY3X9WXEkZ/pBaNc359J4xdZVYnqG/XYbCQfv4k/m6CVJrjNW8fp7w2_2Fhn/P08qjUP5vr_2BNMkjwY/ilwawg4j_2F2eiFOO_2FjH/WtLNE2RDmtpjx/aoDn0KZw/UGwP15wSR7Pb3ZLm7s_2Bm_/2F5nowwmmj/8Tm.src
Click to see the 3 hidden entries
http://https://file://USER.ID%lu.exe/upd
http://constitution.org/usdeclar.txt
http://constitution.org/usdeclar.txtC:

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_20e622abffa5775ef41a222dc31251babfb4527_7cac0383_1b67ca62\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5fa21f6577568642ef2a26a9573ce156e4bc8_7cac0383_1b8fe099\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_77fedd926fb8456368a0809e68225ec9bb4c64f4_7cac0383_11b404ac\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 24 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1C7.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:43:42 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6E8.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC93B.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD53F.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:43:46 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8CA.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9F4.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFEB.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:43:55 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDD7.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF5E.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\0sg2urkr\0sg2urkr.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\0sg2urkr\0sg2urkr.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\0sg2urkr\0sg2urkr.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\0sg2urkr\0sg2urkr.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\0sg2urkr\CSC9E8D9CF5EFB2455BAC85F18857F6B836.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\RES23CB.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RES249.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmmtdzt1.vyi.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tr2pkc1k.yzu.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\s5wot0wy\CSC4A66175C42A34DCCBF374AEBACAD802E.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\s5wot0wy\s5wot0wy.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\s5wot0wy\s5wot0wy.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\s5wot0wy\s5wot0wy.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\s5wot0wy\s5wot0wy.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#