Source: 5.3.rundll32.exe.d2a427.0.raw.unpack |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: kZcCqvNtWa.dll |
ReversingLabs: Detection: 21% |
Source: kZcCqvNtWa.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
Jump to behavior |
Source: |
Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.480778808.000000006E289000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.479153934.000000006E289000.00000002.00020000.sdmp, kZcCqvNtWa.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001D4C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
0_2_001D4C3B |
Source: unknown |
DNS traffic detected: queries for: outlook.com |
Source: Yara match |
File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E241F14 NtMapViewOfSection, |
0_2_6E241F14 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E2415F1 GetProcAddress,NtCreateSection,memset, |
0_2_6E2415F1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E2423A5 NtQueryVirtualMemory, |
0_2_6E2423A5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001D1168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
0_2_001D1168 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001DB2F1 NtQueryVirtualMemory, |
0_2_001DB2F1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E242184 |
0_2_6E242184 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001DB0CC |
0_2_001DB0CC |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001D696A |
0_2_001D696A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001D1B6A |
0_2_001D1B6A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E278960 |
0_2_6E278960 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E282153 |
0_2_6E282153 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E278960 |
3_2_6E278960 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E282153 |
3_2_6E282153 |
Source: kZcCqvNtWa.dll |
Binary or memory string: OriginalFilenameTail.dll0 vs kZcCqvNtWa.dll |
Source: kZcCqvNtWa.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: kZcCqvNtWa.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal76.troj.winDLL@14/4@3/0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001D7F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
0_2_001D7F56 |
Source: C:\Program Files\internet explorer\iexplore.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFE4F68CE1A440F339.TMP |
Jump to behavior |
Source: kZcCqvNtWa.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Program Files\internet explorer\iexplore.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing |
Source: kZcCqvNtWa.dll |
ReversingLabs: Detection: 21% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Order |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Smileschool |
|
Source: unknown |
Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
|
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Order |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Smileschool |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
Jump to behavior |
Source: kZcCqvNtWa.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: kZcCqvNtWa.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: kZcCqvNtWa.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: kZcCqvNtWa.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: kZcCqvNtWa.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: kZcCqvNtWa.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: kZcCqvNtWa.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.480778808.000000006E289000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.479153934.000000006E289000.00000002.00020000.sdmp, kZcCqvNtWa.dll |
Source: kZcCqvNtWa.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: kZcCqvNtWa.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: kZcCqvNtWa.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: kZcCqvNtWa.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: kZcCqvNtWa.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E2417FA LoadLibraryA,GetProcAddress, |
0_2_6E2417FA |
Source: kZcCqvNtWa.dll |
Static PE information: real checksum: 0x84de2 should be: 0x8037c |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E242120 push ecx; ret |
0_2_6E242129 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E242173 push ecx; ret |
0_2_6E242183 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001DB0BB push ecx; ret |
0_2_001DB0CB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001DAD00 push ecx; ret |
0_2_001DAD09 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E282761 push ecx; ret |
0_2_6E282774 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E254348 push ss; ret |
0_2_6E25434B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E25778D pushfd ; ret |
0_2_6E2577AB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E252F9A push edi; retf |
0_2_6E252FA4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E252C15 push ebp; retf |
0_2_6E252C16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E282761 push ecx; ret |
3_2_6E282774 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E254348 push ss; ret |
3_2_6E25434B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E25778D pushfd ; ret |
3_2_6E2577AB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E252F9A push edi; retf |
3_2_6E252FA4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E252C15 push ebp; retf |
3_2_6E252C16 |
Source: Yara match |
File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001D4C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
0_2_001D4C3B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E28636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6E28636F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E2417FA LoadLibraryA,GetProcAddress, |
0_2_6E2417FA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E2B5770 mov eax, dword ptr fs:[00000030h] |
0_2_6E2B5770 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E2B56A6 mov eax, dword ptr fs:[00000030h] |
0_2_6E2B56A6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E2B52AD push dword ptr fs:[00000030h] |
0_2_6E2B52AD |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E2B5770 mov eax, dword ptr fs:[00000030h] |
3_2_6E2B5770 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E2B56A6 mov eax, dword ptr fs:[00000030h] |
3_2_6E2B56A6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E2B52AD push dword ptr fs:[00000030h] |
3_2_6E2B52AD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E282F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E282F08 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E28636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6E28636F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E28150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6E28150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E282F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6E282F08 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E28636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_6E28636F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E28150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_6E28150C |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 |
Jump to behavior |
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001D2D6E cpuid |
0_2_001D2D6E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoA, |
0_2_6E287660 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
3_2_6E287660 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E241237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
0_2_6E241237 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_001D2D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
0_2_001D2D6E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E241CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
0_2_6E241CDD |
Source: Yara match |
File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY |