Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Mal.EncPk-APW.3323.18304

Overview

General Information

Sample Name:SecuriteInfo.com.Mal.EncPk-APW.3323.18304 (renamed file extension from 18304 to dll)
Analysis ID:382278
MD5:937e2c551368757c5e3c3598c41ea7d9
SHA1:599b5bc9138bec69ac61a82858d2a2115eeab943
SHA256:cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6780 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6804 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6836 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6824 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.loaddll32.exe.13d0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          3.2.rundll32.exe.3220000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            2.2.rundll32.exe.a50000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Machine Learning detection for sampleShow sources
              Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllJoe Sandbox ML: detected
              Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F160_2_01205F16
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205A250_2_01205A25
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0120150C0_2_0120150C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01203A140_2_01203A14
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01201B1E0_2_01201B1E
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012052620_2_01205262
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012025660_2_01202566
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012019670_2_01201967
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01202A690_2_01202A69
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012053780_2_01205378
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01203FAB0_2_01203FAB
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01202FAF0_2_01202FAF
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012092B20_2_012092B2
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012031B30_2_012031B3
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012088BA0_2_012088BA
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012013C50_2_012013C5
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01201CD00_2_01201CD0
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012027D40_2_012027D4
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012043D80_2_012043D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A5F162_2_007A5F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A53782_2_007A5378
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A2A692_2_007A2A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A52622_2_007A5262
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A25662_2_007A2566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A19672_2_007A1967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A5A252_2_007A5A25
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A1B1E2_2_007A1B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A3A142_2_007A3A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A150C2_2_007A150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A43D82_2_007A43D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A1CD02_2_007A1CD0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A27D42_2_007A27D4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A13C52_2_007A13C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A88BA2_2_007A88BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A92B22_2_007A92B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A31B32_2_007A31B3
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A3FAB2_2_007A3FAB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A2FAF2_2_007A2FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03206A9C3_2_03206A9C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032021003_2_03202100
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0320150C3_2_0320150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0320510C3_2_0320510C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03203A143_2_03203A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03205F163_2_03205F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03201B1E3_2_03201B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032025663_2_03202566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032019673_2_03201967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03202A693_2_03202A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032035743_2_03203574
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03202FAF3_2_03202FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032092B23_2_032092B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032088BA3_2_032088BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032045933_2_03204593
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032013C53_2_032013C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03203DCD3_2_03203DCD
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032027D43_2_032027D4
              Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: classification engineClassification label: mal52.troj.winDLL@7/0@0/0
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll'
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServerJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1Jump to behavior
              Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllStatic PE information: section name: .code
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx0_2_01205F7B
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_01205F94
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_01205FDD
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_0120604B
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_01206124
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi0_2_0120614F
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edx0_2_0120625E
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_012062B5
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_01206343
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_0120635D
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], ebp0_2_01206368
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_01206385
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edx0_2_012063B4
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_01206483
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_012064F2
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_012064FE
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_0120650A
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi0_2_01206567
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi0_2_012065A9
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], eax0_2_01206610
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_01206685
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx0_2_012066C2
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_012066E8
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi0_2_01206781
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edx0_2_012067B6
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_0120684C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_01206858
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx0_2_01206926
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_01206945
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_01206951
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx0_2_012069D6

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01202A69 xor edi, dword ptr fs:[00000030h]0_2_01202A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A2A69 xor edi, dword ptr fs:[00000030h]2_2_007A2A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03202A69 xor edi, dword ptr fs:[00000030h]3_2_03202A69
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1Jump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 382278 Sample: SecuriteInfo.com.Mal.EncPk-... Startdate: 06/04/2021 Architecture: WINDOWS Score: 52 15 Yara detected  Ursnif 2->15 17 Machine Learning detection for sample 2->17 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.