Source: 0.3.loaddll32.exe.2c694a0.0.raw.unpack |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: Yara match |
File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 |
0_2_007D5F16 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5378 |
0_2_007D5378 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D2A69 |
0_2_007D2A69 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D1967 |
0_2_007D1967 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D2566 |
0_2_007D2566 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5262 |
0_2_007D5262 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5A25 |
0_2_007D5A25 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D1B1E |
0_2_007D1B1E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D3A14 |
0_2_007D3A14 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D150C |
0_2_007D150C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D43D8 |
0_2_007D43D8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D27D4 |
0_2_007D27D4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D1CD0 |
0_2_007D1CD0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D13C5 |
0_2_007D13C5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D88BA |
0_2_007D88BA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D31B3 |
0_2_007D31B3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D92B2 |
0_2_007D92B2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D2FAF |
0_2_007D2FAF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D3FAB |
0_2_007D3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F5F16 |
2_2_006F5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F2A69 |
2_2_006F2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F1967 |
2_2_006F1967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F2566 |
2_2_006F2566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F5262 |
2_2_006F5262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F5378 |
2_2_006F5378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F5A25 |
2_2_006F5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F150C |
2_2_006F150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F1B1E |
2_2_006F1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F3A14 |
2_2_006F3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F13C5 |
2_2_006F13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F43D8 |
2_2_006F43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F27D4 |
2_2_006F27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F1CD0 |
2_2_006F1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F2FAF |
2_2_006F2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F3FAB |
2_2_006F3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F88BA |
2_2_006F88BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F31B3 |
2_2_006F31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F92B2 |
2_2_006F92B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A35F16 |
3_2_00A35F16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A33FAB |
3_2_00A33FAB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A32FAF |
3_2_00A32FAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A331B3 |
3_2_00A331B3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A392B2 |
3_2_00A392B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A388BA |
3_2_00A388BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A313C5 |
3_2_00A313C5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A31CD0 |
3_2_00A31CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A327D4 |
3_2_00A327D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A343D8 |
3_2_00A343D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A35A25 |
3_2_00A35A25 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A3150C |
3_2_00A3150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A33A14 |
3_2_00A33A14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A31B1E |
3_2_00A31B1E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A35262 |
3_2_00A35262 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A31967 |
3_2_00A31967 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A32566 |
3_2_00A32566 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A32A69 |
3_2_00A32A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A35378 |
3_2_00A35378 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10002154 |
3_2_10002154 |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\t6ygT2aU8p.dll,DllServer |
Source: t6ygT2aU8p.dll |
Virustotal: Detection: 63% |
Source: t6ygT2aU8p.dll |
Metadefender: Detection: 61% |
Source: t6ygT2aU8p.dll |
ReversingLabs: Detection: 82% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\t6ygT2aU8p.dll,DllServer |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\t6ygT2aU8p.dll,DllServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
0_2_007D5F7B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_007D5F94 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_007D5FDD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_007D604B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_007D6124 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edi |
0_2_007D614F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edx |
0_2_007D625E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_007D62B5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_007D6343 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_007D635D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], ebp |
0_2_007D6368 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_007D6385 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edx |
0_2_007D63B4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_007D6483 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_007D64F2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
0_2_007D64FE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_007D650A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edi |
0_2_007D6567 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edi |
0_2_007D65A9 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], eax |
0_2_007D6610 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_007D6685 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
0_2_007D66C2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_007D66E8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edi |
0_2_007D6781 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edx |
0_2_007D67B6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_007D684C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_007D6858 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx |
0_2_007D6926 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
0_2_007D6945 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
0_2_007D6951 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
0_2_007D69D6 |
Source: Yara match |
File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_007D2A69 xor edi, dword ptr fs:[00000030h] |
0_2_007D2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_006F2A69 xor edi, dword ptr fs:[00000030h] |
2_2_006F2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00A32A69 xor edi, dword ptr fs:[00000030h] |
3_2_00A32A69 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: rundll32.exe, 00000003.00000002.475289401.00000000030B0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: rundll32.exe, 00000003.00000002.475289401.00000000030B0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: rundll32.exe, 00000003.00000002.475289401.00000000030B0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: rundll32.exe, 00000003.00000002.475289401.00000000030B0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
3_2_1000163F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
3_2_10001850 |
Source: Yara match |
File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE |