Analysis
-
max time kernel
150s -
max time network
155s -
resource
win7v191014
Task
task1
Sample
a038cf5f99d17df1e223aaf2f5f80b4b4a440a4e.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
a038cf5f99d17df1e223aaf2f5f80b4b4a440a4e.exe
Resource
win10v191014
0 signatures
General
-
Target
a038cf5f99d17df1e223aaf2f5f80b4b4a440a4e
-
Sample
191018-7wl797zm62
-
SHA256
ba6af8e68fc67d929a1567eef3a86c1ba481f4f55ee203a17b4e0ee81ec58f41
Score
N/A
Malware Config
Extracted
Family
ursnif
Botnet
1000
C2
http://weekends-estate.xyz
Attributes
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
1.320669898e+09
-
dga_season
10
-
dga_tlds
com
ru
org
-
dns_servers
107.174.86.134
107.175.127.22
rsa_pubkey.base64
serpent.plain
Signatures
-
description ioc pid Process Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 1112 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{777F0BC1-F1DD-11E9-8C2F-DE171A02E7A0} = "0" 1112 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1112 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 1112 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 1112 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 1112 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" 1112 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee0000000002000000000010660000000100002000000029b77e3e0494a104cb536117831580a8f4cb95402abe7e238d58db7928ed92f9000000000e80000000020000200000007547617c067517cea3e4bfb238e4d6ddd50df3bdcc9ddd759fd99416908e6bb0200000005c34ee08e0de93aa208623c8c0583d00a27ed4f3aa433388e474e77ec334e247400000004598b2dea04c5e93133e6789abdd925641c5e0623bab3d0f8a6ce856fa9d8d9f0bbdc2d84629d0a812b2a737f4f361aa7e0b53be0992441e60ad3430b14f3aff 1112 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40bf8259ea85d501 1112 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000e30b240d7c33a98af06cbfc66da406415e4d4f461f20394b9a864e0eae48b1f4000000000e8000000002000020000000515d99d32f2201bfcc1fa55df449ae46c62acf938de13d31bd8f7d3a86cc98d19000000020df626bc7b035f7bfd37bb096c8fd2f13f1a67f445ca51177112c3a87eaa3117523857d61a2f4d1d330800c06350b52d8ab7e81a6293efb576f4be95376310a4b1e480b4fa06fdb38584089aa136abfc67fe1cb296f8d8b833ab9b89ac4f57a8f72819c80c0005b44244664dd7660d33e3c6253a523f535eee9195ec7c5bcc3411e1934c394b7858cd69d4a334915f140000000e52ddd70927df248e8b07c98ba22dee4159768518af18d4c6e2ad25de2e1d4770e050c7aed68fcd4a32679bb45e4d06102f726dd22fe0babdfeea9601ecb0268 1112 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 2168 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9D48DFC1-F1DD-11E9-8C2F-DE171A02E7A0} = "0" 2168 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 2168 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 2168 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 2168 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 2168 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 2400 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA190681-F1DD-11E9-8C2F-DE171A02E7A0} = "0" 2400 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 2400 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 2400 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 2400 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 2400 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 2732 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B6F2B2C1-F1DD-11E9-8C2F-DE171A02E7A0} = "0" 2732 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 2732 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 2732 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 2732 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 2732 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 2920 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C40A42C1-F1DD-11E9-8C2F-DE171A02E7A0} = "0" 2920 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 2920 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 2920 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 2920 iexplore.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1940 1112 iexplore.exe 30 PID 2168 wrote to memory of 2216 2168 iexplore.exe 33 PID 2400 wrote to memory of 2448 2400 iexplore.exe 35 PID 2732 wrote to memory of 2780 2732 iexplore.exe 39 PID 2920 wrote to memory of 2968 2920 iexplore.exe 41 -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1112 iexplore.exe 1940 IEXPLORE.EXE 2168 iexplore.exe 2216 IEXPLORE.EXE 2400 iexplore.exe 2448 IEXPLORE.EXE 2732 iexplore.exe 2780 IEXPLORE.EXE 2920 iexplore.exe 2968 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1112 iexplore.exe 2168 iexplore.exe 2400 iexplore.exe 2732 iexplore.exe 2920 iexplore.exe -
ursnif family
Processes
-
C:\Users\Admin\AppData\Local\Temp\a038cf5f99d17df1e223aaf2f5f80b4b4a440a4e.exe"C:\Users\Admin\AppData\Local\Temp\a038cf5f99d17df1e223aaf2f5f80b4b4a440a4e.exe"1⤵PID:1972
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:1112
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1940
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2168
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:2216
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2400
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:2448
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2732
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:2780
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2920
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:2968