Loading ...

Play interactive tourEdit tour

Windows Analysis Report d780000.dll

Overview

General Information

Sample Name:d780000.dll
Analysis ID:552535
MD5:0c3b18bb45fc04d2b4f802e4a6a898f4
SHA1:198fdda0ebc3eb6c4c0c3f235d4d2725f51ab688
SHA256:640977f81ab253d45adb96d2e4a6fc2c634ef31b6747ade3acf2fe37238a7d34
Tags:exegozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected Ursnif
Sigma detected: Suspicious Call by Ordinal
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6224 cmdline: loaddll64.exe "C:\Users\user\Desktop\d780000.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6172 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 3012 cmdline: rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6084 cmdline: rundll32.exe C:\Users\user\Desktop\d780000.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "R+UxqbV/y+ZU1c0seFgwYm43sz1DSmatV8GC7d9ajlQ+vaAx2oxbmrXwev8mSqGGA/bUt2ZkpqSt/nxO6+/Ak7RHUIzazuikwj2CwtI2KIDL8nZsOoWBzTyOzo34t4SghKOmz0ogisuhvhvEfnzRtTwTwtCrGujd4Sa3+qw1BPxaNAN0DFEVfIrq201z4jAs", "c2_domain": ["lycos.com", "mail.yahoo.com", "193.56.255.251", "193.56.255.250", "193.56.255.249", "numolerunosell.online", "gumolerunosell.online", "rumolerunosell.online"], "dga_tld": "com ru org", "DGA_count": "10", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "60", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "1000", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "122", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "1000", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "122", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "4474", "SetWaitableTimer_value": "200"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
d780000.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Call by OrdinalShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6172, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1, ProcessId: 3012

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: d780000.dllAvira: detected
    Found malware configurationShow sources
    Source: d780000.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "R+UxqbV/y+ZU1c0seFgwYm43sz1DSmatV8GC7d9ajlQ+vaAx2oxbmrXwev8mSqGGA/bUt2ZkpqSt/nxO6+/Ak7RHUIzazuikwj2CwtI2KIDL8nZsOoWBzTyOzo34t4SghKOmz0ogisuhvhvEfnzRtTwTwtCrGujd4Sa3+qw1BPxaNAN0DFEVfIrq201z4jAs", "c2_domain": ["lycos.com", "mail.yahoo.com", "193.56.255.251", "193.56.255.250", "193.56.255.249", "numolerunosell.online", "gumolerunosell.online", "rumolerunosell.online"], "dga_tld": "com ru org", "DGA_count": "10", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "60", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "1000", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "122", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "1000", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "122", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "4474", "SetWaitableTimer_value": "200"}

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: d780000.dll, type: SAMPLE

    E-Banking Fraud:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: d780000.dll, type: SAMPLE

    System Summary:

    barindex
    Source: d780000.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dllJump to behavior
    Source: d780000.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: classification engineClassification label: mal68.troj.winDLL@7/0@0/0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\d780000.dll"
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d780000.dll,#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d780000.dll,#1Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1Jump to behavior
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: d780000.dllStatic PE information: Image base 0x180000000 > 0x60000000

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: d780000.dll, type: SAMPLE
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1Jump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: d780000.dll, type: SAMPLE

    Remote Access Functionality:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: d780000.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 552535 Sample: d780000.dll Startdate: 13/01/2022 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Yara detected  Ursnif 2->19 21 Sigma detected: Suspicious Call by Ordinal 2->21 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    d780000.dll100%AviraHEUR/AGEN.1212258

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:552535
    Start date:13.01.2022
    Start time:13:50:16
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 3m 0s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:d780000.dll
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:8
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.troj.winDLL@7/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .dll
    • Stop behavior analysis, all processes terminated
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 23.211.6.115
    • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: d780000.dll

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:MS-DOS executable
    Entropy (8bit):6.4175338303633085
    TrID:
    • Win64 Dynamic Link Library (generic) (102004/3) 84.88%
    • Win64 Executable (generic) (12005/4) 9.99%
    • DOS Executable Borland Pascal 7.0x (2037/25) 1.69%
    • Generic Win/DOS Executable (2004/3) 1.67%
    • DOS Executable Generic (2002/1) 1.67%
    File name:d780000.dll
    File size:227840
    MD5:0c3b18bb45fc04d2b4f802e4a6a898f4
    SHA1:198fdda0ebc3eb6c4c0c3f235d4d2725f51ab688
    SHA256:640977f81ab253d45adb96d2e4a6fc2c634ef31b6747ade3acf2fe37238a7d34
    SHA512:870dc1b9c96f289d426decb24085b6ca6782e9501a07e1503418556a4aea70ad689d0dd9e64e022e8d18a976f0b20e96404d9968bffc356e9aa0b30bfc0a8e30
    SSDEEP:6144:/HExb7VwvtKNbnvSxYNiyf+D3Luiy53H:cxb5wvtKRvSxY0G+D7uii
    File Content Preview:MZ......................................................................................................................................................................................................................................................PE..d..

    File Icon

    Icon Hash:74f0e4ecccdce0e4

    Static PE Info

    General

    Entrypoint:0x18002a0e8
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x180000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
    DLL Characteristics:
    Time Stamp:0x60C0F8C1 [Wed Jun 9 17:22:09 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:2
    File Version Major:5
    File Version Minor:2
    Subsystem Version Major:5
    Subsystem Version Minor:2
    Import Hash:

    Entrypoint Preview

    Instruction
    inc eax
    push ebx
    dec eax
    sub esp, 20h
    mov ebx, 00000001h
    test edx, edx
    je 00007FBB58C1D186h
    cmp edx, ebx
    jne 00007FBB58C1D191h
    mov eax, ebx
    lock xadd dword ptr [0000A8ABh], eax
    add eax, ebx
    cmp eax, ebx
    jne 00007FBB58C1D181h
    dec ecx
    mov edx, eax
    call 00007FBB58BFA7AEh
    test eax, eax
    je 00007FBB58C1D175h
    xor ebx, ebx
    jmp 00007FBB58C1D171h
    lock add dword ptr [0000A88Dh], FFFFFFFFh
    jne 00007FBB58C1D167h
    call 00007FBB58C0ECAFh
    mov eax, ebx
    dec eax
    add esp, 20h
    pop ebx
    ret
    jmp dword ptr [00004228h]
    dec esp
    mov ebx, esp
    push ebx
    push ebp
    push esi
    push edi
    inc ecx
    push esp
    dec eax
    sub esp, 60h
    dec ecx
    lea eax, dword ptr [ebx-50h]
    dec esp
    lea esp, dword ptr [FFFD5EB0h]
    dec ebp
    lea eax, dword ptr [ebx-50h]
    dec ecx
    mov dword ptr [ebx-48h], eax
    dec ecx
    lea eax, dword ptr [ebx-50h]
    xor edi, edi
    dec ecx
    mov dword ptr [ebx-50h], eax
    dec eax
    mov eax, dword ptr [0000AA37h]
    inc ebp
    xor ecx, ecx
    dec edx
    lea edx, dword ptr [eax+00038468h]
    dec edx
    lea ecx, dword ptr [eax+00037750h]
    mov dword ptr [esp+28h], 00000001h
    mov dword ptr [esp+20h], edi
    call 00007FBB58C1C5D4h
    cmp eax, edi
    je 00007FBB58C1D1FAh
    dec eax
    mov ebx, dword ptr [esp+38h]
    dec esp
    lea eax, dword ptr [esp+000000A0h]
    dec eax
    lea edx, dword ptr [esp+30h]
    dec eax
    lea ecx, dword ptr [ebx+28h]
    dec eax
    mov esi, ebx
    call 00007FBB58C1D1F2h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x32ad00x37.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x31a700x3c.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x350000x17c4.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3a0000x330.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x2e0000x508.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2fdf80x1e0.rdata
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x2c9080x2ca00False0.57014290091data6.34156774345IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .rdata0x2e0000x4b070x4c00False0.399362664474data5.24927821467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x330000x1f880x1a00False0.338792067308lif file4.02465091535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .pdata0x350000x17c40x1800False0.538411458333data5.29492234825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .bss0x370000x20c80x2200False0.952895220588data7.87054877548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .reloc0x3a0000x10000xc00False0.459635416667data4.35925404581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:13:51:15
    Start date:13/01/2022
    Path:C:\Windows\System32\loaddll64.exe
    Wow64 process (32bit):false
    Commandline:loaddll64.exe "C:\Users\user\Desktop\d780000.dll"
    Imagebase:0x7ff6820e0000
    File size:140288 bytes
    MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate

    General

    Start time:13:51:15
    Start date:13/01/2022
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1
    Imagebase:0x7ff7b3890000
    File size:273920 bytes
    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:13:51:15
    Start date:13/01/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\d780000.dll",#1
    Imagebase:0x7ff62ded0000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:13:51:15
    Start date:13/01/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\d780000.dll,#1
    Imagebase:0x7ff62ded0000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >