Source: 0.2.loaddll32.exe.8a0000.1.raw.unpack |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: H78gXhk1NY.dll |
ReversingLabs: Detection: 74% |
Source: H78gXhk1NY.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: Yara match |
File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |
Source: loaddll32.exe, 00000000.00000002.276071001.0000000000A9B000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 |
2_2_00EE5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE13C5 |
2_2_00EE13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE43D8 |
2_2_00EE43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE27D4 |
2_2_00EE27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE1CD0 |
2_2_00EE1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE2FAF |
2_2_00EE2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE3FAB |
2_2_00EE3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE88BA |
2_2_00EE88BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE92B2 |
2_2_00EE92B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE31B3 |
2_2_00EE31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE2A69 |
2_2_00EE2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE2566 |
2_2_00EE2566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE1967 |
2_2_00EE1967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5262 |
2_2_00EE5262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5378 |
2_2_00EE5378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5A25 |
2_2_00EE5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE150C |
2_2_00EE150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE1B1E |
2_2_00EE1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE3A14 |
2_2_00EE3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03095F16 |
3_2_03095F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_0309150C |
3_2_0309150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03091B1E |
3_2_03091B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03093A14 |
3_2_03093A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03095A25 |
3_2_03095A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03092A69 |
3_2_03092A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03095262 |
3_2_03095262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03091967 |
3_2_03091967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03092566 |
3_2_03092566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03095378 |
3_2_03095378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03093FAB |
3_2_03093FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03092FAF |
3_2_03092FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_030988BA |
3_2_030988BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_030931B3 |
3_2_030931B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_030992B2 |
3_2_030992B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_030913C5 |
3_2_030913C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_030943D8 |
3_2_030943D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03091CD0 |
3_2_03091CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_030927D4 |
3_2_030927D4 |
Source: H78gXhk1NY.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal68.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer |
Source: H78gXhk1NY.dll |
ReversingLabs: Detection: 74% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Jump to behavior |
Source: H78gXhk1NY.dll |
Static PE information: section name: .code |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE709D push edi; mov dword ptr [esp], FFFF0000h |
2_2_00EE709E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ebp |
2_2_00EE70F5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE709D push esp; mov dword ptr [esp], 00000040h |
2_2_00EE711D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ecx |
2_2_00EE716C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
2_2_00EE5F7B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
2_2_00EE5F94 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
2_2_00EE5FDD |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
2_2_00EE604B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
2_2_00EE6124 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi |
2_2_00EE614F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx |
2_2_00EE625E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
2_2_00EE62B5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
2_2_00EE6343 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
2_2_00EE635D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], ebp |
2_2_00EE6368 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
2_2_00EE6385 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx |
2_2_00EE63B4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
2_2_00EE6483 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
2_2_00EE64F2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
2_2_00EE64FE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
2_2_00EE650A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi |
2_2_00EE6567 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi |
2_2_00EE65A9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], eax |
2_2_00EE6610 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
2_2_00EE6685 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
2_2_00EE66C2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
2_2_00EE66E8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi |
2_2_00EE6781 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx |
2_2_00EE67B6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
2_2_00EE684C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
2_2_00EE6858 |
Source: Yara match |
File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00EE2A69 xor edi, dword ptr fs:[00000030h] |
2_2_00EE2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_03092A69 xor edi, dword ptr fs:[00000030h] |
3_2_03092A69 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Jump to behavior |
Source: Yara match |
File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |