[[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Source: 2.2.rundll32.exe.32c0000.2.raw.unpack | Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]] |
Source: 0.2.loaddll32.exe.10000000.3.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 | 0_2_03055F16 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0305150C | 0_2_0305150C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03053A14 | 0_2_03053A14 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03051B1E | 0_2_03051B1E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055A25 | 0_2_03055A25 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03051967 | 0_2_03051967 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03052566 | 0_2_03052566 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055262 | 0_2_03055262 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03052A69 | 0_2_03052A69 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055378 | 0_2_03055378 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03052FAF | 0_2_03052FAF |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03053FAB | 0_2_03053FAB |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030531B3 | 0_2_030531B3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030592B2 | 0_2_030592B2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030588BA | 0_2_030588BA |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030513C5 | 0_2_030513C5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030527D4 | 0_2_030527D4 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03051CD0 | 0_2_03051CD0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030543D8 | 0_2_030543D8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10002154 | 0_2_10002154 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A5F16 | 2_2_032A5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A5A25 | 2_2_032A5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A150C | 2_2_032A150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A1B1E | 2_2_032A1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A3A14 | 2_2_032A3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A2A69 | 2_2_032A2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A5262 | 2_2_032A5262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A2566 | 2_2_032A2566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A1967 | 2_2_032A1967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A5378 | 2_2_032A5378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A3FAB | 2_2_032A3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A2FAF | 2_2_032A2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A88BA | 2_2_032A88BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A92B2 | 2_2_032A92B2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A31B3 | 2_2_032A31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A13C5 | 2_2_032A13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A43D8 | 2_2_032A43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A1CD0 | 2_2_032A1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A27D4 | 2_2_032A27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B5F16 | 3_2_046B5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B2A69 | 3_2_046B2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B5262 | 3_2_046B5262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B1967 | 3_2_046B1967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B2566 | 3_2_046B2566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B5378 | 3_2_046B5378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B5A25 | 3_2_046B5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B150C | 3_2_046B150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B1B1E | 3_2_046B1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B3A14 | 3_2_046B3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B13C5 | 3_2_046B13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B43D8 | 3_2_046B43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B1CD0 | 3_2_046B1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B27D4 | 3_2_046B27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B3FAB | 3_2_046B3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B2FAF | 3_2_046B2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B88BA | 3_2_046B88BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B31B3 | 3_2_046B31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B92B2 | 3_2_046B92B2 |
Source: classification engine | Classification label: mal68.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg.gif.dll' | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx | 0_2_03055F7B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 0_2_03055F94 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 0_2_03055FDD |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 0_2_0305604B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 0_2_03056124 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi | 0_2_0305614F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx | 0_2_0305625E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 0_2_030562B5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 0_2_03056343 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 0_2_0305635D |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], ebp | 0_2_03056368 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 0_2_03056385 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx | 0_2_030563B4 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 0_2_03056483 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 0_2_030564F2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 0_2_030564FE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 0_2_0305650A |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi | 0_2_03056567 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi | 0_2_030565A9 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], eax | 0_2_03056610 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 0_2_03056685 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx | 0_2_030566C2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 0_2_030566E8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi | 0_2_03056781 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx | 0_2_030567B6 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 0_2_0305684C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 0_2_03056858 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx | 0_2_03056926 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 0_2_03056945 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 0_2_03056951 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx | 0_2_030569D6 |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03052A69 xor edi, dword ptr fs:[00000030h] | 0_2_03052A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A2A69 xor edi, dword ptr fs:[00000030h] | 2_2_032A2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B2A69 xor edi, dword ptr fs:[00000030h] | 3_2_046B2A69 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, | 0_2_1000163F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, | 0_2_10001850 |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.