Source: 3.3.rundll32.exe.2c0a427.0.raw.unpack |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: 609a460e94791.tiff.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 609a460e94791.tiff.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000000.00000002.591062302.000000006E1FB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.592702264.000000006E1FB000.00000002.00020000.sdmp, 609a460e94791.tiff.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, |
0_2_6E1D5AB0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, |
3_2_6E1D5AB0 |
Source: Yara match |
File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1623A5 NtQueryVirtualMemory, |
0_2_6E1623A5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E161F14 NtMapViewOfSection, |
3_2_6E161F14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1615F1 GetProcAddress,NtCreateSection,memset, |
3_2_6E1615F1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1623A5 NtQueryVirtualMemory, |
3_2_6E1623A5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E162184 |
0_2_6E162184 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E162184 |
3_2_6E162184 |
Source: 609a460e94791.tiff.dll |
Binary or memory string: OriginalFilenamefall.dll8 vs 609a460e94791.tiff.dll |
Source: 609a460e94791.tiff.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal60.troj.winDLL@12/0@0/0 |
Source: 609a460e94791.tiff.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8 |
|
Source: unknown |
Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 609a460e94791.tiff.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000000.00000002.591062302.000000006E1FB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.592702264.000000006E1FB000.00000002.00020000.sdmp, 609a460e94791.tiff.dll |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1617FA LoadLibraryA,GetProcAddress, |
0_2_6E1617FA |
Source: 609a460e94791.tiff.dll |
Static PE information: real checksum: 0xdacb0 should be: 0xd1c24 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E162120 push ecx; ret |
0_2_6E162129 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E162173 push ecx; ret |
0_2_6E162183 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E2306DB push ebp; retf 0000h |
0_2_6E2306DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E162120 push ecx; ret |
3_2_6E162129 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E162173 push ecx; ret |
3_2_6E162183 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E2306DB push ebp; retf 0000h |
3_2_6E2306DC |
Source: Yara match |
File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1911D0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_6E1911D0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, |
0_2_6E1D5AB0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, |
3_2_6E1D5AB0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1936C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E1936C0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1D0480 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV, |
0_2_6E1D0480 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1617FA LoadLibraryA,GetProcAddress, |
0_2_6E1617FA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1D4E20 mov ecx, dword ptr fs:[00000030h] |
0_2_6E1D4E20 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1D4CE0 mov ecx, dword ptr fs:[00000030h] |
0_2_6E1D4CE0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1D4D80 mov ecx, dword ptr fs:[00000030h] |
0_2_6E1D4D80 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1A7960 mov eax, dword ptr fs:[00000030h] |
0_2_6E1A7960 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E22C536 mov eax, dword ptr fs:[00000030h] |
0_2_6E22C536 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E22C46C mov eax, dword ptr fs:[00000030h] |
0_2_6E22C46C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E22C073 push dword ptr fs:[00000030h] |
0_2_6E22C073 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1D4E20 mov ecx, dword ptr fs:[00000030h] |
3_2_6E1D4E20 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1D4CE0 mov ecx, dword ptr fs:[00000030h] |
3_2_6E1D4CE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1D4D80 mov ecx, dword ptr fs:[00000030h] |
3_2_6E1D4D80 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1A7960 mov eax, dword ptr fs:[00000030h] |
3_2_6E1A7960 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E22C536 mov eax, dword ptr fs:[00000030h] |
3_2_6E22C536 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E22C46C mov eax, dword ptr fs:[00000030h] |
3_2_6E22C46C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E22C073 push dword ptr fs:[00000030h] |
3_2_6E22C073 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1936C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E1936C0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1A4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E1A4F60 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1938F0 SetUnhandledExceptionFilter, |
0_2_6E1938F0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E193990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6E193990 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1936C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6E1936C0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1A4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6E1A4F60 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1938F0 SetUnhandledExceptionFilter, |
3_2_6E1938F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E193990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_6E193990 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
Jump to behavior |
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E161237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
0_2_6E161237 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E161CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
0_2_6E161CDD |
Source: Yara match |
File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY |