Source: 4.2.rundll32.exe.4560000.2.raw.unpack |
Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]] |
Source: gg_1.gif.dll |
ReversingLabs: Detection: 41% |
Source: 1.2.loaddll32.exe.10000000.3.unpack |
Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: gg_1.gif.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: Yara match |
File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10002375 NtQueryVirtualMemory, |
1_2_10002375 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10002154 |
1_2_10002154 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 |
3_2_04D25F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D21CD0 |
3_2_04D21CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D227D4 |
3_2_04D227D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D243D8 |
3_2_04D243D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D213C5 |
3_2_04D213C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D292B2 |
3_2_04D292B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D231B3 |
3_2_04D231B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D288BA |
3_2_04D288BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D23FAB |
3_2_04D23FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D22FAF |
3_2_04D22FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25378 |
3_2_04D25378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25262 |
3_2_04D25262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D22566 |
3_2_04D22566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D21967 |
3_2_04D21967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D22A69 |
3_2_04D22A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D23A14 |
3_2_04D23A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D21B1E |
3_2_04D21B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D2150C |
3_2_04D2150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25A25 |
3_2_04D25A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04525F16 |
4_2_04525F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04525378 |
4_2_04525378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04525262 |
4_2_04525262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04522566 |
4_2_04522566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04521967 |
4_2_04521967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04522A69 |
4_2_04522A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04523A14 |
4_2_04523A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04521B1E |
4_2_04521B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_0452150C |
4_2_0452150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04525A25 |
4_2_04525A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04521CD0 |
4_2_04521CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_045227D4 |
4_2_045227D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_045243D8 |
4_2_045243D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_045213C5 |
4_2_045213C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_045292B2 |
4_2_045292B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_045231B3 |
4_2_045231B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_045288BA |
4_2_045288BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04523FAB |
4_2_04523FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04522FAF |
4_2_04522FAF |
Source: gg_1.gif.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal68.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer |
Source: gg_1.gif.dll |
ReversingLabs: Detection: 41% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, |
1_2_10001745 |
Source: gg_1.gif.dll |
Static PE information: section name: .code |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10002143 push ecx; ret |
1_2_10002153 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_100050D9 push esp; iretd |
1_2_100050DA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_100020F0 push ecx; ret |
1_2_100020F9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D2709D push edi; mov dword ptr [esp], FFFF0000h |
3_2_04D2709E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D2709D push 00000000h; mov dword ptr [esp], ebp |
3_2_04D270F5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D2709D push esp; mov dword ptr [esp], 00000040h |
3_2_04D2711D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D2709D push 00000000h; mov dword ptr [esp], ecx |
3_2_04D2716C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
3_2_04D25F7B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_04D25F94 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_04D25FDD |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_04D2604B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_04D26124 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi |
3_2_04D2614F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edx |
3_2_04D2625E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_04D262B5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_04D26343 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_04D2635D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], ebp |
3_2_04D26368 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_04D26385 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edx |
3_2_04D263B4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_04D26483 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_04D264F2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
3_2_04D264FE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
3_2_04D2650A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi |
3_2_04D26567 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi |
3_2_04D265A9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], eax |
3_2_04D26610 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_04D26685 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
3_2_04D266C2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
3_2_04D266E8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi |
3_2_04D26781 |
Source: Yara match |
File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, |
1_2_10001745 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04D22A69 xor edi, dword ptr fs:[00000030h] |
3_2_04D22A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_04522A69 xor edi, dword ptr fs:[00000030h] |
4_2_04522A69 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 |
Jump to behavior |
Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
1_2_1000163F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
1_2_10001850 |
Source: Yara match |
File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE |