Analysis Report 609a460e94791.tiff.dll

Overview

General Information

Sample Name: 609a460e94791.tiff.dll
Analysis ID: 410818
MD5: 50a299d1e92d9205e123404c8e05904d
SHA1: c188272ab757dbbf14e74781fc90fcefe4aeb615
SHA256: 3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Tags: BRTdllgeogoziisfbitaursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.3.rundll32.exe.2c0a427.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Compliance:

barindex
Uses 32bit PE files
Source: 609a460e94791.tiff.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 609a460e94791.tiff.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000000.00000002.591062302.000000006E1FB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.592702264.000000006E1FB000.00000002.00020000.sdmp, 609a460e94791.tiff.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 0_2_6E1D5AB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 3_2_6E1D5AB0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1623A5 NtQueryVirtualMemory, 0_2_6E1623A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E161F14 NtMapViewOfSection, 3_2_6E161F14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1615F1 GetProcAddress,NtCreateSection,memset, 3_2_6E1615F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1623A5 NtQueryVirtualMemory, 3_2_6E1623A5
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E162184 0_2_6E162184
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E162184 3_2_6E162184
Sample file is different than original file name gathered from version info
Source: 609a460e94791.tiff.dll Binary or memory string: OriginalFilenamefall.dll8 vs 609a460e94791.tiff.dll
Uses 32bit PE files
Source: 609a460e94791.tiff.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal60.troj.winDLL@12/0@0/0
Source: 609a460e94791.tiff.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 609a460e94791.tiff.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000000.00000002.591062302.000000006E1FB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.592702264.000000006E1FB000.00000002.00020000.sdmp, 609a460e94791.tiff.dll
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1617FA LoadLibraryA,GetProcAddress, 0_2_6E1617FA
PE file contains an invalid checksum
Source: 609a460e94791.tiff.dll Static PE information: real checksum: 0xdacb0 should be: 0xd1c24
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E162120 push ecx; ret 0_2_6E162129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E162173 push ecx; ret 0_2_6E162183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2306DB push ebp; retf 0000h 0_2_6E2306DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E162120 push ecx; ret 3_2_6E162129
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E162173 push ecx; ret 3_2_6E162183
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2306DB push ebp; retf 0000h 3_2_6E2306DC

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1911D0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6E1911D0
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 0_2_6E1D5AB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 3_2_6E1D5AB0

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1936C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1936C0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1D0480 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV, 0_2_6E1D0480
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1617FA LoadLibraryA,GetProcAddress, 0_2_6E1617FA
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1D4E20 mov ecx, dword ptr fs:[00000030h] 0_2_6E1D4E20
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1D4CE0 mov ecx, dword ptr fs:[00000030h] 0_2_6E1D4CE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1D4D80 mov ecx, dword ptr fs:[00000030h] 0_2_6E1D4D80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A7960 mov eax, dword ptr fs:[00000030h] 0_2_6E1A7960
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E22C536 mov eax, dword ptr fs:[00000030h] 0_2_6E22C536
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E22C46C mov eax, dword ptr fs:[00000030h] 0_2_6E22C46C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E22C073 push dword ptr fs:[00000030h] 0_2_6E22C073
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1D4E20 mov ecx, dword ptr fs:[00000030h] 3_2_6E1D4E20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1D4CE0 mov ecx, dword ptr fs:[00000030h] 3_2_6E1D4CE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1D4D80 mov ecx, dword ptr fs:[00000030h] 3_2_6E1D4D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1A7960 mov eax, dword ptr fs:[00000030h] 3_2_6E1A7960
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E22C536 mov eax, dword ptr fs:[00000030h] 3_2_6E22C536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E22C46C mov eax, dword ptr fs:[00000030h] 3_2_6E22C46C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E22C073 push dword ptr fs:[00000030h] 3_2_6E22C073
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1936C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1936C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1A4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1A4F60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1938F0 SetUnhandledExceptionFilter, 0_2_6E1938F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E193990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E193990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1936C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E1936C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1A4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E1A4F60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1938F0 SetUnhandledExceptionFilter, 3_2_6E1938F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E193990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E193990

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E161237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E161237
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E161CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E161CDD

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 410818 Sample: 609a460e94791.tiff.dll Startdate: 11/05/2021 Architecture: WINDOWS Score: 60 22 Found malware configuration 2->22 24 Yara detected  Ursnif 2->24 7 loaddll32.exe 1 2->7         started        9 iexplore.exe 2->9         started        process3 process4 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        signatures5 26 Writes registry values via WMI 11->26 20 rundll32.exe 14->20         started        process6
No contacted IP infos