Loading ...

Play interactive tourEdit tour

Analysis Report gg_1.gif.dll

Overview

General Information

Sample Name:gg_1.gif.dll
Analysis ID:382564
MD5:53f7e96f48283df339164afadd174638
SHA1:bd119af6c52876fb5d23398326850d87fe159735
SHA256:4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Tags:dllGGGoziIFSBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6836 cmdline: loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6864 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6920 cmdline: rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6908 cmdline: rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.rundll32.exe.4b40000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          4.2.rundll32.exe.4ba0000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            1.2.loaddll32.exe.ec0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 4.2.rundll32.exe.4ba0000.2.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
              Multi AV Scanner detection for submitted fileShow sources
              Source: gg_1.gif.dllReversingLabs: Detection: 41%
              Machine Learning detection for sampleShow sources
              Source: gg_1.gif.dllJoe Sandbox ML: detected
              Source: gg_1.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F161_2_00EA5F16
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA13C51_2_00EA13C5
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA43D81_2_00EA43D8
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA1CD01_2_00EA1CD0
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA27D41_2_00EA27D4
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA3FAB1_2_00EA3FAB
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA2FAF1_2_00EA2FAF
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA88BA1_2_00EA88BA
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA92B21_2_00EA92B2
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA31B31_2_00EA31B3
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA2A691_2_00EA2A69
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA25661_2_00EA2566
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA19671_2_00EA1967
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA150C1_2_00EA150C
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA510C1_2_00EA510C
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA1B1E1_2_00EA1B1E
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA3A141_2_00EA3A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03465F164_2_03465F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034625664_2_03462566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034619674_2_03461967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034652624_2_03465262
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03462A694_2_03462A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034653784_2_03465378
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0346150C4_2_0346150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03463A144_2_03463A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03461B1E4_2_03461B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03465A254_2_03465A25
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034613C54_2_034613C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034627D44_2_034627D4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03461CD04_2_03461CD0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034643D84_2_034643D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03462FAF4_2_03462FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03463FAB4_2_03463FAB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034692B24_2_034692B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034631B34_2_034631B3
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034688BA4_2_034688BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03305F165_2_03305F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03305A255_2_03305A25
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03303A145_2_03303A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03301B1E5_2_03301B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0330150C5_2_0330150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033053785_2_03305378
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033052625_2_03305262
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033025665_2_03302566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033019675_2_03301967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03302A695_2_03302A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033092B25_2_033092B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033031B35_2_033031B3
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033088BA5_2_033088BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03303FAB5_2_03303FAB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03302FAF5_2_03302FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03301CD05_2_03301CD0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033027D45_2_033027D4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033043D85_2_033043D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033013C55_2_033013C5
              Source: gg_1.gif.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: classification engineClassification label: mal68.troj.winDLL@7/0@0/0
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer
              Source: gg_1.gif.dllReversingLabs: Detection: 41%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll'
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServerJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: gg_1.gif.dllStatic PE information: section name: .code
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA709D push edi; mov dword ptr [esp], FFFF0000h1_2_00EA709E
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ebp1_2_00EA70F5
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA709D push esp; mov dword ptr [esp], 00000040h1_2_00EA711D
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ecx1_2_00EA716C
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx1_2_00EA5F7B
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax1_2_00EA5F94
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax1_2_00EA5FDD
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax1_2_00EA604B
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax1_2_00EA6124
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi1_2_00EA614F
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx1_2_00EA625E
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax1_2_00EA62B5
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax1_2_00EA6343
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax1_2_00EA635D
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], ebp1_2_00EA6368
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax1_2_00EA6385
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx1_2_00EA63B4
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax1_2_00EA6483
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax1_2_00EA64F2
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax1_2_00EA64FE
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax1_2_00EA650A
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi1_2_00EA6567
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi1_2_00EA65A9
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], eax1_2_00EA6610
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax1_2_00EA6685
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx1_2_00EA66C2
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax1_2_00EA66E8
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi1_2_00EA6781
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx1_2_00EA67B6
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax1_2_00EA684C
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax1_2_00EA6858

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00EA2A69 xor edi, dword ptr fs:[00000030h]1_2_00EA2A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03462A69 xor edi, dword ptr fs:[00000030h]4_2_03462A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03302A69 xor edi, dword ptr fs:[00000030h]5_2_03302A69
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1Jump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 382564 Sample: gg_1.gif.dll Startdate: 06/04/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.