Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Overview

General Information

Sample Name:SecuriteInfo.com.Mal.EncPk-APW.3323.dll
Analysis ID:382278
MD5:937e2c551368757c5e3c3598c41ea7d9
SHA1:599b5bc9138bec69ac61a82858d2a2115eeab943
SHA256:cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5584 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 1936 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 660 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4992 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.loaddll32.exe.10000000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          3.2.rundll32.exe.2600000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            4.2.rundll32.exe.4990000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              1.2.loaddll32.exe.d90000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllVirustotal: Detection: 28%Perma Link
                Machine Learning detection for sampleShow sources
                Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllJoe Sandbox ML: detected
                Source: 1.2.loaddll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002375 NtQueryVirtualMemory,1_2_10002375
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100021541_2_10002154
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F163_2_023D5F16
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5A253_2_023D5A25
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D1B1E3_2_023D1B1E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D3A143_2_023D3A14
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D150C3_2_023D150C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D53783_2_023D5378
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D2A693_2_023D2A69
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D19673_2_023D1967
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D25663_2_023D2566
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D52623_2_023D5262
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D88BA3_2_023D88BA
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D31B33_2_023D31B3
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D92B23_2_023D92B2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D2FAF3_2_023D2FAF
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D3FAB3_2_023D3FAB
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D43D83_2_023D43D8
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D27D43_2_023D27D4
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D1CD03_2_023D1CD0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D13C53_2_023D13C5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03045F164_2_03045F16
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0304150C4_2_0304150C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03043A144_2_03043A14
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03041B1E4_2_03041B1E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03045A254_2_03045A25
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030425664_2_03042566
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030419674_2_03041967
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030452624_2_03045262
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03042A694_2_03042A69
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030453784_2_03045378
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03042FAF4_2_03042FAF
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03043FAB4_2_03043FAB
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030492B24_2_030492B2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030431B34_2_030431B3
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030488BA4_2_030488BA
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030413C54_2_030413C5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030427D44_2_030427D4
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03041CD04_2_03041CD0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030443D84_2_030443D8
                Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                Source: classification engineClassification label: mal60.troj.winDLL@7/0@0/0
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
                Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllVirustotal: Detection: 28%
                Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll'
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServerJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllStatic PE information: section name: .code
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002143 push ecx; ret 1_2_10002153
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100020F0 push ecx; ret 1_2_100020F9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx3_2_023D5F7B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_023D5F94
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_023D5FDD
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_023D604B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_023D6124
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi3_2_023D614F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx3_2_023D625E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_023D62B5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_023D6343
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_023D635D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], ebp3_2_023D6368
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_023D6385
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx3_2_023D63B4
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_023D6483
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_023D64F2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_023D64FE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_023D650A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi3_2_023D6567
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi3_2_023D65A9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], eax3_2_023D6610
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_023D6685
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx3_2_023D66C2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_023D66E8
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi3_2_023D6781
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx3_2_023D67B6
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_023D684C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_023D6858
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx3_2_023D6926
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_023D6945

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE
                Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_023D2A69 xor edi, dword ptr fs:[00000030h]3_2_023D2A69
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03042A69 xor edi, dword ptr fs:[00000030h]4_2_03042A69
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1Jump to behavior
                Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,1_2_1000163F
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_10001850

                Stealing of Sensitive Information:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

                Remote Access Functionality:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsNative API1Path InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSSystem Information Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 382278 Sample: SecuriteInfo.com.Mal.EncPk-... Startdate: 06/04/2021 Architecture: WINDOWS Score: 60 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected  Ursnif 2->17 19 Machine Learning detection for sample 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.