Loading ...

Play interactive tourEdit tour

Windows Analysis Report 202c6770000.dll

Overview

General Information

Sample Name:202c6770000.dll
Analysis ID:547692
MD5:4b76083e201810b0a6430846ca94250a
SHA1:963f018eb2d3a6ae81c40486a63795cdf137be52
SHA256:8cba0769d25a6cc0cd53961a53b1a13568446ea01f0d72724e15eaef087f314a
Tags:exegozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Sigma detected: Suspicious Call by Ordinal
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6580 cmdline: loaddll64.exe "C:\Users\user\Desktop\202c6770000.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6588 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\202c6770000.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6108 cmdline: rundll32.exe "C:\Users\user\Desktop\202c6770000.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5128 cmdline: rundll32.exe C:\Users\user\Desktop\202c6770000.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "R+UxqbV/y+ZU1c0seFgwYm43sz1DSmatV8GC7d9ajlQ+vaAx2oxbmrXwev8mSqGGA/bUt2ZkpqSt/nxO6+/Ak7RHUIzazuikwj2CwtI2KIDL8nZsOoWBzTyOzo34t4SghKOmz0ogisuhvhvEfnzRtTwTwtCrGujd4Sa3+qw1BPxaNAN0DFEVfIrq201z4jAs", "c2_domain": ["lycos.com", "mail.yahoo.com", "193.56.255.251", "193.56.255.250", "193.56.255.249", "numolerunosell.online", "gumolerunosell.online", "rumolerunosell.online"], "dga_tld": "com ru org", "DGA_count": "10", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "60", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "1000", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "122", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "1000", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "122", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "4474", "SetWaitableTimer_value": "200"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
202c6770000.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Call by OrdinalShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe C:\Users\user\Desktop\202c6770000.dll,#1, CommandLine: rundll32.exe C:\Users\user\Desktop\202c6770000.dll,#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: loaddll64.exe "C:\Users\user\Desktop\202c6770000.dll", ParentImage: C:\Windows\System32\loaddll64.exe, ParentProcessId: 6580, ProcessCommandLine: rundll32.exe C:\Users\user\Desktop\202c6770000.dll,#1, ProcessId: 5128

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 202c6770000.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "R+UxqbV/y+ZU1c0seFgwYm43sz1DSmatV8GC7d9ajlQ+vaAx2oxbmrXwev8mSqGGA/bUt2ZkpqSt/nxO6+/Ak7RHUIzazuikwj2CwtI2KIDL8nZsOoWBzTyOzo34t4SghKOmz0ogisuhvhvEfnzRtTwTwtCrGujd4Sa3+qw1BPxaNAN0DFEVfIrq201z4jAs", "c2_domain": ["lycos.com", "mail.yahoo.com", "193.56.255.251", "193.56.255.250", "193.56.255.249", "numolerunosell.online", "gumolerunosell.online", "rumolerunosell.online"], "dga_tld": "com ru org", "DGA_count": "10", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "60", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "1000", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "122", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "1000", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "122", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "4474", "SetWaitableTimer_value": "200"}

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 202c6770000.dll, type: SAMPLE

    E-Banking Fraud:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 202c6770000.dll, type: SAMPLE

    System Summary:

    barindex
    Source: 202c6770000.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dll
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dll
    Source: 202c6770000.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: classification engineClassification label: mal60.troj.winDLL@7/0@0/0
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\202c6770000.dll,#1
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\202c6770000.dll"
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\202c6770000.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\202c6770000.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\202c6770000.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\202c6770000.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\202c6770000.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\202c6770000.dll",#1
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: 202c6770000.dllStatic PE information: Image base 0x180000000 > 0x60000000

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 202c6770000.dll, type: SAMPLE
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\202c6770000.dll",#1

    Stealing of Sensitive Information:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 202c6770000.dll, type: SAMPLE

    Remote Access Functionality:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 202c6770000.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 547692 Sample: 202c6770000.dll Startdate: 04/01/2022 Architecture: WINDOWS Score: 60 15 Found malware configuration 2->15 17 Yara detected  Ursnif 2->17 19 Sigma detected: Suspicious Call by Ordinal 2->19 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.