Source: 2.2.rundll32.exe.32c0000.2.raw.unpack |
Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]] |
Source: Yara match |
File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 |
0_2_03055F16 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0305150C |
0_2_0305150C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03053A14 |
0_2_03053A14 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03051B1E |
0_2_03051B1E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055A25 |
0_2_03055A25 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03051967 |
0_2_03051967 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03052566 |
0_2_03052566 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055262 |
0_2_03055262 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03052A69 |
0_2_03052A69 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055378 |
0_2_03055378 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03052FAF |
0_2_03052FAF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03053FAB |
0_2_03053FAB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_030531B3 |
0_2_030531B3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_030592B2 |
0_2_030592B2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_030588BA |
0_2_030588BA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_030513C5 |
0_2_030513C5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_030527D4 |
0_2_030527D4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03051CD0 |
0_2_03051CD0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_030543D8 |
0_2_030543D8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10002154 |
0_2_10002154 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A5F16 |
2_2_032A5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A5A25 |
2_2_032A5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A150C |
2_2_032A150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A1B1E |
2_2_032A1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A3A14 |
2_2_032A3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A2A69 |
2_2_032A2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A5262 |
2_2_032A5262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A2566 |
2_2_032A2566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A1967 |
2_2_032A1967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A5378 |
2_2_032A5378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A3FAB |
2_2_032A3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A2FAF |
2_2_032A2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A88BA |
2_2_032A88BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A92B2 |
2_2_032A92B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A31B3 |
2_2_032A31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A13C5 |
2_2_032A13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A43D8 |
2_2_032A43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A1CD0 |
2_2_032A1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A27D4 |
2_2_032A27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B5F16 |
3_2_046B5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B2A69 |
3_2_046B2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B5262 |
3_2_046B5262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B1967 |
3_2_046B1967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B2566 |
3_2_046B2566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B5378 |
3_2_046B5378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B5A25 |
3_2_046B5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B150C |
3_2_046B150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B1B1E |
3_2_046B1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B3A14 |
3_2_046B3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B13C5 |
3_2_046B13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B43D8 |
3_2_046B43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B1CD0 |
3_2_046B1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B27D4 |
3_2_046B27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B3FAB |
3_2_046B3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B2FAF |
3_2_046B2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B88BA |
3_2_046B88BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B31B3 |
3_2_046B31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B92B2 |
3_2_046B92B2 |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg.gif.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
0_2_03055F7B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_03055F94 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_03055FDD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_0305604B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_03056124 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi |
0_2_0305614F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx |
0_2_0305625E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_030562B5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_03056343 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_0305635D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], ebp |
0_2_03056368 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_03056385 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx |
0_2_030563B4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_03056483 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_030564F2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_030564FE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_0305650A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi |
0_2_03056567 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi |
0_2_030565A9 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], eax |
0_2_03056610 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_03056685 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
0_2_030566C2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_030566E8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi |
0_2_03056781 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx |
0_2_030567B6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_0305684C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_03056858 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx |
0_2_03056926 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_03056945 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_03056951 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
0_2_030569D6 |
Source: Yara match |
File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_03052A69 xor edi, dword ptr fs:[00000030h] |
0_2_03052A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_032A2A69 xor edi, dword ptr fs:[00000030h] |
2_2_032A2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_046B2A69 xor edi, dword ptr fs:[00000030h] |
3_2_046B2A69 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
0_2_1000163F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
0_2_10001850 |
Source: Yara match |
File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |