Loading ...

Play interactive tourEdit tour

Analysis Report gg_1.gif.dll

Overview

General Information

Sample Name:gg_1.gif.dll
Analysis ID:382564
MD5:53f7e96f48283df339164afadd174638
SHA1:bd119af6c52876fb5d23398326850d87fe159735
SHA256:4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Tags:dllGGGoziIFSBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6948 cmdline: loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6988 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7012 cmdline: rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7000 cmdline: rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.rundll32.exe.4d40000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          1.2.loaddll32.exe.10000000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            1.2.loaddll32.exe.3020000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              4.2.rundll32.exe.4560000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 4.2.rundll32.exe.4560000.2.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
                Multi AV Scanner detection for submitted fileShow sources
                Source: gg_1.gif.dllReversingLabs: Detection: 41%
                Machine Learning detection for sampleShow sources
                Source: gg_1.gif.dllJoe Sandbox ML: detected
                Source: 1.2.loaddll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                Source: gg_1.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002375 NtQueryVirtualMemory,1_2_10002375
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100021541_2_10002154
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F163_2_04D25F16
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D21CD03_2_04D21CD0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D227D43_2_04D227D4
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D243D83_2_04D243D8
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D213C53_2_04D213C5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D292B23_2_04D292B2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D231B33_2_04D231B3
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D288BA3_2_04D288BA
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D23FAB3_2_04D23FAB
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D22FAF3_2_04D22FAF
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D253783_2_04D25378
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D252623_2_04D25262
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D225663_2_04D22566
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D219673_2_04D21967
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D22A693_2_04D22A69
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D23A143_2_04D23A14
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D21B1E3_2_04D21B1E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D2150C3_2_04D2150C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25A253_2_04D25A25
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04525F164_2_04525F16
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045253784_2_04525378
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045252624_2_04525262
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045225664_2_04522566
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045219674_2_04521967
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04522A694_2_04522A69
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04523A144_2_04523A14
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04521B1E4_2_04521B1E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0452150C4_2_0452150C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04525A254_2_04525A25
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04521CD04_2_04521CD0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045227D44_2_045227D4
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045243D84_2_045243D8
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045213C54_2_045213C5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045292B24_2_045292B2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045231B34_2_045231B3
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045288BA4_2_045288BA
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04523FAB4_2_04523FAB
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04522FAF4_2_04522FAF
                Source: gg_1.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                Source: classification engineClassification label: mal68.troj.winDLL@7/0@0/0
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer
                Source: gg_1.gif.dllReversingLabs: Detection: 41%
                Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll'
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServerJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                Source: gg_1.gif.dllStatic PE information: section name: .code
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002143 push ecx; ret 1_2_10002153
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100050D9 push esp; iretd 1_2_100050DA
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100020F0 push ecx; ret 1_2_100020F9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D2709D push edi; mov dword ptr [esp], FFFF0000h3_2_04D2709E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D2709D push 00000000h; mov dword ptr [esp], ebp3_2_04D270F5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D2709D push esp; mov dword ptr [esp], 00000040h3_2_04D2711D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D2709D push 00000000h; mov dword ptr [esp], ecx3_2_04D2716C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx3_2_04D25F7B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_04D25F94
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_04D25FDD
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_04D2604B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_04D26124
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi3_2_04D2614F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edx3_2_04D2625E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_04D262B5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_04D26343
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_04D2635D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], ebp3_2_04D26368
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_04D26385
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edx3_2_04D263B4
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_04D26483
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_04D264F2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax3_2_04D264FE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax3_2_04D2650A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi3_2_04D26567
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi3_2_04D265A9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], eax3_2_04D26610
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_04D26685
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx3_2_04D266C2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_04D266E8
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi3_2_04D26781

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D22A69 xor edi, dword ptr fs:[00000030h]3_2_04D22A69
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04522A69 xor edi, dword ptr fs:[00000030h]4_2_04522A69
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1Jump to behavior
                Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,1_2_1000163F
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_10001850

                Stealing of Sensitive Information:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE

                Remote Access Functionality:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsNative API1Path InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerSystem Information Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 382564 Sample: gg_1.gif.dll Startdate: 06/04/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.