Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1e60aca0000.dll

Overview

General Information

Sample Name:1e60aca0000.dll
Analysis ID:547693
MD5:f09f51fb30891aa93446c01018e92d49
SHA1:28e62b9495bf58b7ff183c327a6eaa3ac7461b5b
SHA256:68f2f77b88e5575b360d05f84ff11a026a62fa42f48aeec2cd44523692e40a6a
Tags:exegozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Sigma detected: Suspicious Call by Ordinal
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6308 cmdline: loaddll64.exe "C:\Users\user\Desktop\1e60aca0000.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6316 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6352 cmdline: rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6340 cmdline: rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "1ez6ZX9GBMHuzrxYcEvmkX0k1/y/WRE5hgthXVQ4P44VmZDRyl+qzgB3X8mQxx9hX87voxwb+7CbnJcCZ4hp/XwNIs0rUcJj4wwNctiIvZb8gIPsgWrAjjXLGMBCWjpmhIdWmYD7oSqxAb7ciAuhtWabiveV3OFwUuMRDbNtONTWpz/J4JVtQJ3XBbp99SutX5vbOPhgKBI3aszrv+0c1EkjrakCFHlOqMs8bjEjNDxrhaBWjOM1EU17zvHVkK7hxDkKQ5buzWmjrzDZEEWnvM3aa5uVRR1v44XnbolU0ltUakCZT4sH963oonk1uijxExj7eWoI4x+donYvsc/nFxNyfe6c/mfSKb7U2RhPG4g=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "poi.redhatbabby.at", "fgx.dangerboy.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "apr.intoolkom.at"], "ip_check_url": ["curlmyip.net"], "serpent_key": "KCVH9K5GZjoxwKSf", "server": "580", "sleep_time": "10", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "300", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "300", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "505050", "SetWaitableTimer_value": "60"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
1e60aca0000.dllJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Call by OrdinalShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1, CommandLine: rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: loaddll64.exe "C:\Users\user\Desktop\1e60aca0000.dll", ParentImage: C:\Windows\System32\loaddll64.exe, ParentProcessId: 6308, ProcessCommandLine: rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1, ProcessId: 6340

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: 1e60aca0000.dllAvira: detected
    Found malware configurationShow sources
    Source: 1e60aca0000.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "1ez6ZX9GBMHuzrxYcEvmkX0k1/y/WRE5hgthXVQ4P44VmZDRyl+qzgB3X8mQxx9hX87voxwb+7CbnJcCZ4hp/XwNIs0rUcJj4wwNctiIvZb8gIPsgWrAjjXLGMBCWjpmhIdWmYD7oSqxAb7ciAuhtWabiveV3OFwUuMRDbNtONTWpz/J4JVtQJ3XBbp99SutX5vbOPhgKBI3aszrv+0c1EkjrakCFHlOqMs8bjEjNDxrhaBWjOM1EU17zvHVkK7hxDkKQ5buzWmjrzDZEEWnvM3aa5uVRR1v44XnbolU0ltUakCZT4sH963oonk1uijxExj7eWoI4x+donYvsc/nFxNyfe6c/mfSKb7U2RhPG4g=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "poi.redhatbabby.at", "fgx.dangerboy.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "apr.intoolkom.at"], "ip_check_url": ["curlmyip.net"], "serpent_key": "KCVH9K5GZjoxwKSf", "server": "580", "sleep_time": "10", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "300", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "300", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "505050", "SetWaitableTimer_value": "60"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: 1e60aca0000.dllReversingLabs: Detection: 34%

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 1e60aca0000.dll, type: SAMPLE

    E-Banking Fraud:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 1e60aca0000.dll, type: SAMPLE

    System Summary:

    barindex
    Source: 1e60aca0000.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dll
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dll
    Source: 1e60aca0000.dllReversingLabs: Detection: 34%
    Source: 1e60aca0000.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: classification engineClassification label: mal76.troj.winDLL@7/0@0/0
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\1e60aca0000.dll"
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: 1e60aca0000.dllStatic PE information: Image base 0x180000000 > 0x60000000

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 1e60aca0000.dll, type: SAMPLE
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1

    Stealing of Sensitive Information:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 1e60aca0000.dll, type: SAMPLE

    Remote Access Functionality:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 1e60aca0000.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 547693 Sample: 1e60aca0000.dll Startdate: 04/01/2022 Architecture: WINDOWS Score: 76 15 Found malware configuration 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 2 other signatures 2->21 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.