e9ca2e726c664d3f610c06ce555e5c5cf3550e5cc7fb21bf2c6b461976b8cc29

General

Target

8ad35f111142e94599955379dad6fe8040789f0b
Sample

191018-6cbxhgqhwx
SHA256

e9ca2e726c664d3f610c06ce555e5c5cf3550e5cc7fb21bf2c6b461976b8cc29

Score

N/A

Malware Config

Extracted

Family

ursnif

Botnet

500

C2

http://myhomesitter.fun

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
1.320669898e+09
dga_season
10
dga_tlds
com

ru

org
dns_servers
107.174.86.134

107.175.127.22

rsa_pubkey.base64

serpent.plain

Signatures

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

5084 iexplore.exe
4448 iexplore.exe
4736 iexplore.exe
1080 iexplore.exe
2024 iexplore.exe

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITSb8e36c09-5e80-49f3-899e-155c1bda5e63"	4628	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	816	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	816	svchost.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48BF8865-F1DD-11E9-BD7F-D2DFD4EE3F6C} = "0"	5084	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	5084	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "523137206"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30770666"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "523137206"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30770666"	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	5084	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa000000000200000000001066000000010000200000006c411e439cb0b7be165bacb5f5f20df874c5d4e755ac67e256b85b79a5e041d9000000000e8000000002000020000000c9997b4dec58c11d057accca21eea18f6b913b631350a30f2836f3059d99e27620000000bdedbeb3beac5972a2f84354262052392989cccb3e4263ab7a5a92c8ec68e2c5400000000e4ba97b91d96211f1d6f47432fab1909cd30e64b5cce65516e9c06eb423f5fae657f54b1102bc159dabec623aecd6b25b4623c048e083cff6c5355f5e23bbe4	5084	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e13524ea85d501	5084	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa000000000200000000001066000000010000200000003556559baf888fc2007c8bcd05f77b4cd95d991c238b83eb67e645a74947abcd000000000e800000000200002000000007200bc43d638d8c3dbe0d04d499a2435b6f4baf5cb2941c23a6100a0cbd321020000000ff1a39cd5d47667b798b093ca46a305dd9df764bd0facf4dfc76ff45c5fbe2a740000000d967556d4c38582638edef414da27bee753603e9ca303d3481a50ed51d60dbe8e5dfebb0eb395e5d9a8c18d7dac3943673b7a4c57d06ddca0f46b7a90d2f22b6	5084	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9045e624ea85d501	5084	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	4448	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{67F28CF0-F1DD-11E9-BD7F-D2DFD4EE3F6C} = "0"	4448	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	4448	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	4448	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	4448	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa000000000200000000001066000000010000200000007e25c4a66ad1d8785897eed96d301847992108dd76635d006b156b7eb94f8b19000000000e8000000002000020000000b33915f83df50f2b598cd60a9f1e3338784a6814622ae9d82af176cf3a1c91da20000000276426c024e11101ae13c8ecf597338dd70d378c1d31f3d436db4efcf6fd7e3040000000f2eea55eacc5498df70fdcb2f0e07d01b584ce2907c9b734ad63dba97d978e8df0cf5fe606ec31f4a5d8b1601b89c53277ce9f29575f95ecc77381ddc6a981fa	4448	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5008c12bea85d501	4448	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	4448	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	4736	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{757601AD-F1DD-11E9-BD7F-D2DFD4EE3F6C} = "0"	4736	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	4736	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	4736	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	4736	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa00000000020000000000106600000001000020000000c9acbd06cc36f128c124a8198bd84eba7ccf483a7d0e0432f1f6f6cf9c7277f3000000000e8000000002000020000000c100e450a97123fce1730d7c10483bded8173f52a0ee456f4fc9cde79fefa06a20000000ce7f053291e56a274dc78759f02051f1132080edba0552415b552fed3165fa5d40000000c80f2723425e1b89863fd5fe44877f7ee42cfba161ec2d239651d3bbd4fead76a187718e31f1716d2ce3b1faf1f6801ea342a1fef46166c8628da1cdcf89e519	4736	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00f1fc38ea85d501	4736	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	4736	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	1080	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{82E19DF9-F1DD-11E9-BD7F-D2DFD4EE3F6C} = "0"	1080	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1080	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	1080	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	1080	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa00000000020000000000106600000001000020000000b98b04ed6e1fce223b50c66473093bf03b4a0b711649c5d7e253821637aabea7000000000e8000000002000020000000322bd1b28c761b34d4c6c9905aa8898db5868ed52a5d47209619cb2a3e36ad11200000005b99994ac36c418c10e603ec7c5b140dcb3493449537f1c7a546772a657d84f3400000005a132af3660f81abd3a854db86172bea54fc49ee1f329fd0a1919dcda8b0206b41701a74e11551b97e4a2dd426b5e1c1ab3031f485e5a704a57c94ce85ad9e0e	1080	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ffce46ea85d501	1080	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	1080	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2024	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{90D78265-F1DD-11E9-BD7F-D2DFD4EE3F6C} = "0"	2024	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2024	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2024	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2024	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 5084 wrote to memory of 1428	5084	iexplore.exe	IEXPLORE.EXE
PID 4448 wrote to memory of 4052	4448	iexplore.exe	IEXPLORE.EXE
PID 4736 wrote to memory of 4748	4736	iexplore.exe	IEXPLORE.EXE
PID 1080 wrote to memory of 1448	1080	iexplore.exe	IEXPLORE.EXE
PID 2024 wrote to memory of 2412	2024	iexplore.exe	IEXPLORE.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4264	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4264	svchost.exe

ursnif family
family

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
5084	iexplore.exe
1428	IEXPLORE.EXE
4448	iexplore.exe
4052	IEXPLORE.EXE
4736	iexplore.exe
4748	IEXPLORE.EXE
1080	iexplore.exe
1448	IEXPLORE.EXE
2024	iexplore.exe
2412	IEXPLORE.EXE

Drops file in system dir 5 IoCs

Processes:

svchost.exe

description	ioc	pid	process
File opened for modification	C:\Windows\Debug\ESE.TXT	4628	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4628	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4628	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4628	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4628	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8ad35f111142e94599955379dad6fe8040789f0b.exe
"C:\Users\Admin\AppData\Local\Temp\8ad35f111142e94599955379dad6fe8040789f0b.exe"
1⤵
PID:4912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4448 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:4052

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies service
- Drops file in system dir
PID:4628

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4692

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4264

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4048

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4736 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1031
T1089

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4912-0-0x0000000002BB0000-0x0000000002BC5000-memory.dmp

Filesize
84KB

Download
memory/4912-1-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/4912-2-0x00000000029C0000-0x00000000029CF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads