Loading ...

Play interactive tourEdit tour

Analysis Report gg_1.gif.dll

Overview

General Information

Sample Name:gg_1.gif.dll
Analysis ID:382549
MD5:990e843cf4b51a69b9319c74b23b733b
SHA1:6d82f2c85847798b3fa412825b6d25485e6d28d3
SHA256:7af19b7aa91cf1a3fb479f1f352e0a979df69779256653eb1c9961fc9238fb73
Tags:dllGGGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 2588 cmdline: loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 2792 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5252 cmdline: rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4220 cmdline: rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 592 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5180 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:592 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5012 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 968 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5012 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.234285102.0000000001170000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000003.361907935.000000000359B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000002.470853528.00000000009E0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000000.00000003.361917668.000000000359B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.361893951.000000000359B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.9e0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.2.rundll32.exe.1170000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.1110000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.2.rundll32.exe.10000000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    0.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.30394a0.3.raw.unpackMalware Configuration Extractor: Ursnif [{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: urs-world.comVirustotal: Detection: 5%Perma Link
                      Source: under17.comVirustotal: Detection: 5%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: gg_1.gif.dllReversingLabs: Detection: 54%
                      Machine Learning detection for sampleShow sources
                      Source: gg_1.gif.dllJoe Sandbox ML: detected
                      Source: 3.2.rundll32.exe.10a0000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
                      Source: 0.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: gg_1.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C112D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00C112D4
                      Source: Joe Sandbox ViewIP Address: 185.243.114.196 185.243.114.196
                      Source: Joe Sandbox ViewASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
                      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 185.243.114.196:80
                      Source: unknownDNS traffic detected: queries for: login.microsoftonline.com
                      Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js.21.drString found in binary or memory: http://feross.org
                      Source: {94DF9255-96F7-11EB-90E4-ECF4BB862DED}.dat.26.drString found in binary or memory: http://under17.com/joomla/7EMqwcktdPA4c/aMPBQ9O_/2FX3DcgTHroSNZOCOKmShtr/x5dqa0Nz0h/_2Bn6wLNcWZjgLt0
                      Source: {782A6825-96F7-11EB-90E4-ECF4BB862DED}.dat.20.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/datenleck-bei-facebook-wachstum-z
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/janet-yellen-us-finanzministerin-fordert-weltweite-mi
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/staatliche-regulierung-allianz-gegen-big-tech-druck-a
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/admirale-begehren-auf-gegen-das-verr
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/alexej-nawalny-klagt-
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/es-h
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/so-tickt-kosovos-neue-staatspr
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/ukrainekonflikt-maas-warnt-russland-und-ukraine-
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/other/karl-lauterbach-der-blitzableiter-der-republik/ar-BB1fiI
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/coronakrise-laschet-fordert-harten-br
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/das-alles-h
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/fdp-nur-keine-option-von-vornherein-ausschlie
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/l
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/manfred-weber-nennt-eu-beitritt-der-t
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/die-altersheime-hat-man-vergessen/ar-BB1fkRPW?ocid
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/nachtleben-in-israel-eine-nacht-wie-fr
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/news/other/abdullah-sollte-von-erdogan-lernen/ar-BB1fktw7?ocid=BingHPC
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/news/other/das-grosse-impfen-beginnt-geht-es-nun-endlich-vorw
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/news/other/pentagon-usa-beobachten-russlands-aktivit
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-sucht-mit-superpuma-nach-vermissten-minderj
                      Source: msnpopularnow[1].json.21.drString found in binary or memory: https://www.msn.com/de-ch/news/other/ressourcen-f

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.361907935.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361917668.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361893951.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440967759.000000000349D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361834154.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361865613.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361939136.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2588, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000002.00000002.234285102.0000000001170000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.470853528.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.472098490.0000000001110000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1170000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1110000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.361907935.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361917668.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361893951.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440967759.000000000349D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361834154.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361865613.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361939136.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2588, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000002.00000002.234285102.0000000001170000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.470853528.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.472098490.0000000001110000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1170000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1110000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001D9F NtMapViewOfSection,0_2_10001D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001EB5 GetProcAddress,NtCreateSection,memset,0_2_10001EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002375 NtQueryVirtualMemory,0_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C183B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00C183B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C1B341 NtQueryVirtualMemory,0_2_00C1B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10002375 NtQueryVirtualMemory,3_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299348F0_2_0299348F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02991B950_2_02991B95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02993A850_2_02993A85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02993FA80_2_02993FA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02993BDB0_2_02993BDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02995AF60_2_02995AF6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029928EB0_2_029928EB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029952EC0_2_029952EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029920EE0_2_029920EE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029919180_2_02991918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029933140_2_02993314
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029910000_2_02991000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029964240_2_02996424
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029948590_2_02994859
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299554B0_2_0299554B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299237B0_2_0299237B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299247B0_2_0299247B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029913740_2_02991374
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02995C760_2_02995C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299596E0_2_0299596E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021540_2_10002154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C140940_2_00C14094
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C197F20_2_00C197F2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C1B11C0_2_00C1B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0111348F2_2_0111348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011133142_2_01113314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011119182_2_01111918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011110002_2_01111000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011164242_2_01116424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011148592_2_01114859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0111554B2_2_0111554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011113742_2_01111374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01115C762_2_01115C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0111237B2_2_0111237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0111247B2_2_0111247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0111596E2_2_0111596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01111B952_2_01111B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01113A852_2_01113A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01113FA82_2_01113FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01113BDB2_2_01113BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01115AF62_2_01115AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011128EB2_2_011128EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011152EC2_2_011152EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011120EE2_2_011120EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A348F3_2_010A348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A10003_2_010A1000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A19183_2_010A1918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A33143_2_010A3314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A64243_2_010A6424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A554B3_2_010A554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A48593_2_010A4859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A596E3_2_010A596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A237B3_2_010A237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A247B3_2_010A247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A5C763_2_010A5C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A13743_2_010A1374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A3A853_2_010A3A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A1B953_2_010A1B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A3FA83_2_010A3FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A3BDB3_2_010A3BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A28EB3_2_010A28EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A20EE3_2_010A20EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A52EC3_2_010A52EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A5AF63_2_010A5AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100021543_2_10002154
                      Source: gg_1.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal92.troj.winDLL@13/97@4/2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C1757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00C1757F
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0D588EF90ECA28AF.TMPJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,StartService
                      Source: gg_1.gif.dllReversingLabs: Detection: 54%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,StartService
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:592 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5012 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,StartServiceJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:592 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5012 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: gg_1.gif.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02996194 push eax; mov dword ptr [esp], 00000004h0_2_029961AF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02996194 push esi; mov dword ptr [esp], 00001000h0_2_029961B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02996194 push 00000000h; mov dword ptr [esp], ebp0_2_02996267
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_029934A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx0_2_02993632
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299348F push 00000000h; mov dword ptr [esp], edx0_2_029937FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299348F push edx; mov dword ptr [esp], 00000002h0_2_0299384A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0299348F push 00000000h; mov dword ptr [esp], ecx0_2_029938D7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02996099 push esi; mov dword ptr [esp], FFFF0000h0_2_029960A8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02996099 push ecx; mov dword ptr [esp], 00005267h0_2_029960C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02996099 push 00000000h; mov dword ptr [esp], edi0_2_029960D9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02996099 push ebx; mov dword ptr [esp], 00001000h0_2_029960F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02996099 push ebx; mov dword ptr [esp], 000FFFFFh0_2_0299615F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02996099 push ebx; mov dword ptr [esp], 00406194h0_2_02996175
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02991B95 push dword ptr [ebp-1Ch]; mov dword ptr [esp], esp0_2_02991BF2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02991B95 push 00000000h; mov dword ptr [esp], esi0_2_02991CD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02991B95 push 00000000h; mov dword ptr [esp], esi0_2_02991D37
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02991B95 push dword ptr [ebp-20h]; mov dword ptr [esp], esi0_2_02991DC0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02991B95 push 00000000h; mov dword ptr [esp], ebp0_2_02991E4C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02991B95 push dword ptr [ebp-20h]; mov dword ptr [esp], ecx0_2_02991F23
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02994DF5 push 00000000h; mov dword ptr [esp], edi0_2_02994EA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02992DF5 push dword ptr [ebp-04h]; mov dword ptr [esp], edi0_2_02992E1C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02992DF5 push 00000000h; mov dword ptr [esp], edx0_2_02992EAD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02992DF5 push 00000000h; mov dword ptr [esp], ebp0_2_02992EC1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02995AF6 push esi; mov dword ptr [esp], 0000F000h0_2_02995C11
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029920EE push 00000000h; mov dword ptr [esp], esi0_2_0299210B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029920EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi0_2_02992177
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029920EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_0299222E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029920EE push 00000000h; mov dword ptr [esp], eax0_2_02992498
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029920EE push 00000000h; mov dword ptr [esp], edi0_2_02992502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029920EE push 00000000h; mov dword ptr [esp], ecx0_2_02992524

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.361907935.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361917668.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361893951.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440967759.000000000349D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361834154.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361865613.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361939136.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2588, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000002.00000002.234285102.0000000001170000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.470853528.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.472098490.0000000001110000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1170000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1110000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C112D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00C112D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02992DF5 or edx, dword ptr fs:[00000030h]0_2_02992DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01112DF5 or edx, dword ptr fs:[00000030h]2_2_01112DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010A2DF5 or edx, dword ptr fs:[00000030h]3_2_010A2DF5
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.472968505.0000000001580000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474202434.0000000003820000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.472968505.0000000001580000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474202434.0000000003820000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.472968505.0000000001580000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474202434.0000000003820000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.472968505.0000000001580000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474202434.0000000003820000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C1269C cpuid 0_2_00C1269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_1000102F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C1269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_00C1269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_10001850

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.361907935.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361917668.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361893951.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440967759.000000000349D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361834154.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361865613.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.361939136.000000000359B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2588, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000002.00000002.234285102.0000000001170000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.470853528.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.472098490.0000000001110000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1170000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll