[[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Source: 2.2.rundll32.exe.32c0000.2.raw.unpack | Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]] |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0305150C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03053A14 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03051B1E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055A25 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03051967 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03052566 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055262 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03052A69 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055378 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03052FAF |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03053FAB |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030531B3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030592B2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030588BA |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030513C5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030527D4 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03051CD0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_030543D8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10002154 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A5262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A2566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A1967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A5378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A88BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A92B2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B5262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B1967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B2566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B5378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B88BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B92B2 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg.gif.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], ebp |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_03052A69 xor edi, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_032A2A69 xor edi, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_046B2A69 xor edi, dword ptr fs:[00000030h] |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.