Loading ...

Play interactive tourEdit tour

Analysis Report H78gXhk1NY.dll

Overview

General Information

Sample Name:H78gXhk1NY.dll
Analysis ID:404151
MD5:759e055bf47a9ce1a7fce3e3276120f3
SHA1:d6de742f6caf13d4a9aa75287d041596fbcea73a
SHA256:d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6272 cmdline: loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6284 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6304 cmdline: rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6292 cmdline: rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.loaddll32.exe.8a0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          3.2.rundll32.exe.3100000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            2.2.rundll32.exe.f00000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 0.2.loaddll32.exe.8a0000.1.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: H78gXhk1NY.dllReversingLabs: Detection: 74%
              Machine Learning detection for sampleShow sources
              Source: H78gXhk1NY.dllJoe Sandbox ML: detected
              Source: H78gXhk1NY.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE
              Source: loaddll32.exe, 00000000.00000002.276071001.0000000000A9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F162_2_00EE5F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE13C52_2_00EE13C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE43D82_2_00EE43D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE27D42_2_00EE27D4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE1CD02_2_00EE1CD0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE2FAF2_2_00EE2FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE3FAB2_2_00EE3FAB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE88BA2_2_00EE88BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE92B22_2_00EE92B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE31B32_2_00EE31B3
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE2A692_2_00EE2A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE25662_2_00EE2566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE19672_2_00EE1967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE52622_2_00EE5262
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE53782_2_00EE5378
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5A252_2_00EE5A25
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE150C2_2_00EE150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE1B1E2_2_00EE1B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE3A142_2_00EE3A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03095F163_2_03095F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309150C3_2_0309150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03091B1E3_2_03091B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03093A143_2_03093A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03095A253_2_03095A25
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03092A693_2_03092A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030952623_2_03095262
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030919673_2_03091967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030925663_2_03092566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030953783_2_03095378
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03093FAB3_2_03093FAB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03092FAF3_2_03092FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030988BA3_2_030988BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030931B33_2_030931B3
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030992B23_2_030992B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030913C53_2_030913C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030943D83_2_030943D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03091CD03_2_03091CD0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030927D43_2_030927D4
              Source: H78gXhk1NY.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: classification engineClassification label: mal68.troj.winDLL@7/0@0/0
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
              Source: H78gXhk1NY.dllReversingLabs: Detection: 74%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll'
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServerJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1Jump to behavior
              Source: H78gXhk1NY.dllStatic PE information: section name: .code
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE709D push edi; mov dword ptr [esp], FFFF0000h2_2_00EE709E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ebp2_2_00EE70F5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE709D push esp; mov dword ptr [esp], 00000040h2_2_00EE711D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ecx2_2_00EE716C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx2_2_00EE5F7B
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax2_2_00EE5F94
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax2_2_00EE5FDD
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax2_2_00EE604B
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax2_2_00EE6124
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi2_2_00EE614F
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx2_2_00EE625E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax2_2_00EE62B5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax2_2_00EE6343
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax2_2_00EE635D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], ebp2_2_00EE6368
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax2_2_00EE6385
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx2_2_00EE63B4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax2_2_00EE6483
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax2_2_00EE64F2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax2_2_00EE64FE
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax2_2_00EE650A
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi2_2_00EE6567
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi2_2_00EE65A9
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], eax2_2_00EE6610
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax2_2_00EE6685
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx2_2_00EE66C2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax2_2_00EE66E8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi2_2_00EE6781
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx2_2_00EE67B6
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax2_2_00EE684C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax2_2_00EE6858

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE2A69 xor edi, dword ptr fs:[00000030h]2_2_00EE2A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03092A69 xor edi, dword ptr fs:[00000030h]3_2_03092A69
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1Jump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321Input Capture1Virtualization/Sandbox Evasion1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 404151 Sample: H78gXhk1NY.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.