Source: 5.3.rundll32.exe.51194a0.0.raw.unpack |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: O2U2nEYAZO.dll |
Virustotal: Detection: 64% |
Perma Link |
Source: O2U2nEYAZO.dll |
ReversingLabs: Detection: 78% |
Source: O2U2nEYAZO.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: Yara match |
File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 |
1_2_00815F16 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00813FAB |
1_2_00813FAB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00812FAF |
1_2_00812FAF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_008131B3 |
1_2_008131B3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_008192B2 |
1_2_008192B2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_008188BA |
1_2_008188BA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_008113C5 |
1_2_008113C5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00811CD0 |
1_2_00811CD0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_008127D4 |
1_2_008127D4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_008143D8 |
1_2_008143D8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_0081150C |
1_2_0081150C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00813A14 |
1_2_00813A14 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00811B1E |
1_2_00811B1E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815A25 |
1_2_00815A25 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815262 |
1_2_00815262 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00811967 |
1_2_00811967 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00812566 |
1_2_00812566 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00812A69 |
1_2_00812A69 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815378 |
1_2_00815378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC5F16 |
5_2_02AC5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC2FAF |
5_2_02AC2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC3FAB |
5_2_02AC3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC88BA |
5_2_02AC88BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC92B2 |
5_2_02AC92B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC31B3 |
5_2_02AC31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC13C5 |
5_2_02AC13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC43D8 |
5_2_02AC43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC27D4 |
5_2_02AC27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC1CD0 |
5_2_02AC1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC5A25 |
5_2_02AC5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC150C |
5_2_02AC150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC1B1E |
5_2_02AC1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC3A14 |
5_2_02AC3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC2A69 |
5_2_02AC2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC2566 |
5_2_02AC2566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC1967 |
5_2_02AC1967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC5262 |
5_2_02AC5262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC5378 |
5_2_02AC5378 |
Source: O2U2nEYAZO.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal68.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer |
Source: O2U2nEYAZO.dll |
Virustotal: Detection: 64% |
Source: O2U2nEYAZO.dll |
ReversingLabs: Detection: 78% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 |
Jump to behavior |
Source: O2U2nEYAZO.dll |
Static PE information: section name: .code |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_0081709D push edi; mov dword ptr [esp], FFFF0000h |
1_2_0081709E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_0081709D push 00000000h; mov dword ptr [esp], ebp |
1_2_008170F5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_0081709D push esp; mov dword ptr [esp], 00000040h |
1_2_0081711D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_0081709D push 00000000h; mov dword ptr [esp], ecx |
1_2_0081716C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
1_2_00815F7B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00815F94 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_00815FDD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_0081604B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_00816124 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edi |
1_2_0081614F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edx |
1_2_0081625E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_008162B5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_00816343 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_0081635D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], ebp |
1_2_00816368 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00816385 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edx |
1_2_008163B4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_00816483 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_008164F2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
1_2_008164FE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
1_2_0081650A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edi |
1_2_00816567 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edi |
1_2_008165A9 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], eax |
1_2_00816610 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00816685 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
1_2_008166C2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_008166E8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edi |
1_2_00816781 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edx |
1_2_008167B6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_0081684C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
1_2_00816858 |
Source: Yara match |
File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_00812A69 xor edi, dword ptr fs:[00000030h] |
1_2_00812A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_02AC2A69 xor edi, dword ptr fs:[00000030h] |
5_2_02AC2A69 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 |
Jump to behavior |
Source: Yara match |
File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE |