Source: 4.2.rundll32.exe.4ba0000.2.raw.unpack |
Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]] |
Source: gg_1.gif.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: Yara match |
File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 |
1_2_00EA5F16 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA13C5 |
1_2_00EA13C5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA43D8 |
1_2_00EA43D8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA1CD0 |
1_2_00EA1CD0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA27D4 |
1_2_00EA27D4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA3FAB |
1_2_00EA3FAB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA2FAF |
1_2_00EA2FAF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA88BA |
1_2_00EA88BA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA92B2 |
1_2_00EA92B2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA31B3 |
1_2_00EA31B3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA2A69 |
1_2_00EA2A69 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA2566 |
1_2_00EA2566 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA1967 |
1_2_00EA1967 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA150C |
1_2_00EA150C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA510C |
1_2_00EA510C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA1B1E |
1_2_00EA1B1E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA3A14 |
1_2_00EA3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03465F16 |
4_2_03465F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03462566 |
4_2_03462566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03461967 |
4_2_03461967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03465262 |
4_2_03465262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03462A69 |
4_2_03462A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03465378 |
4_2_03465378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_0346150C |
4_2_0346150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03463A14 |
4_2_03463A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03461B1E |
4_2_03461B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03465A25 |
4_2_03465A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_034613C5 |
4_2_034613C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_034627D4 |
4_2_034627D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03461CD0 |
4_2_03461CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_034643D8 |
4_2_034643D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03462FAF |
4_2_03462FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03463FAB |
4_2_03463FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_034692B2 |
4_2_034692B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_034631B3 |
4_2_034631B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_034688BA |
4_2_034688BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03305F16 |
5_2_03305F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03305A25 |
5_2_03305A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03303A14 |
5_2_03303A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03301B1E |
5_2_03301B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_0330150C |
5_2_0330150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03305378 |
5_2_03305378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03305262 |
5_2_03305262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03302566 |
5_2_03302566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03301967 |
5_2_03301967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03302A69 |
5_2_03302A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_033092B2 |
5_2_033092B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_033031B3 |
5_2_033031B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_033088BA |
5_2_033088BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03303FAB |
5_2_03303FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03302FAF |
5_2_03302FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03301CD0 |
5_2_03301CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_033027D4 |
5_2_033027D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_033043D8 |
5_2_033043D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_033013C5 |
5_2_033013C5 |
Source: gg_1.gif.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal68.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA709D push edi; mov dword ptr [esp], FFFF0000h |
1_2_00EA709E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ebp |
1_2_00EA70F5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA709D push esp; mov dword ptr [esp], 00000040h |
1_2_00EA711D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ecx |
1_2_00EA716C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
1_2_00EA5F7B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00EA5F94 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_00EA5FDD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_00EA604B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_00EA6124 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi |
1_2_00EA614F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx |
1_2_00EA625E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_00EA62B5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_00EA6343 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_00EA635D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], ebp |
1_2_00EA6368 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00EA6385 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx |
1_2_00EA63B4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_00EA6483 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_00EA64F2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_00EA64FE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_00EA650A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi |
1_2_00EA6567 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi |
1_2_00EA65A9 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], eax |
1_2_00EA6610 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00EA6685 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
1_2_00EA66C2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00EA66E8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi |
1_2_00EA6781 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx |
1_2_00EA67B6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00EA684C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00EA6858 |
Source: Yara match |
File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00EA2A69 xor edi, dword ptr fs:[00000030h] |
1_2_00EA2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03462A69 xor edi, dword ptr fs:[00000030h] |
4_2_03462A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_03302A69 xor edi, dword ptr fs:[00000030h] |
5_2_03302A69 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Yara match |
File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |