Analysis

  • max time kernel
    135s
  • max time network
    148s
  • resource
    win10v191014

General

  • Target

    a038cf5f99d17df1e223aaf2f5f80b4b4a440a4e

  • Sample

    191018-7wl797zm62

  • SHA256

    ba6af8e68fc67d929a1567eef3a86c1ba481f4f55ee203a17b4e0ee81ec58f41

Score
N/A

Malware Config

Extracted

Family

ursnif

Botnet

1000

C2

http://weekends-estate.xyz

Attributes
  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    1.320669898e+09

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    107.174.86.134

    107.175.127.22

rsa_pubkey.base64
1
AAgAANbmcBjNV5tiTgWcPhRrJgQb0kYFfNBWiuaU1J/dJsUiz22VcOLdUDhcUyPN2+UzuwTaogL0vmF9dmRYMI9x6oN/BuzJHLUNqZ/gNh+m2JOChNoIfEGh3N/ijmoEyzeSWf6w7TUqNKZbAAO3TqtXbZ2uKNxL/EHMkS2Ga4fTWv0DlleQejqdZMAKWVnDf8c51Goj2tatdUCuKVfECoOg1QzfXu6NBqT0l3aQ+85KMqaoaIZSf+Sqfy5k0geIgEn7DLO+iGf9gh6xPLQkXX0Z9uMT9GUnz559bt/meLxxF2YsLvQlRl/v8Avr+Kb6BIoetITREEBoDXFbwyhJNrPa2qEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAB
serpent.plain
1
YQiUrgpfMGxlbXo6

Signatures

  • Drops file in system dir 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • ursnif family
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Modifies service 2 TTPs 1 IoCs
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a038cf5f99d17df1e223aaf2f5f80b4b4a440a4e.exe
    "C:\Users\Admin\AppData\Local\Temp\a038cf5f99d17df1e223aaf2f5f80b4b4a440a4e.exe"
    1⤵
      PID:4928
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      PID:5092
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5092 CREDAT:82945 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2568
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Drops file in system dir
      • Modifies service
      PID:4044
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:1772
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of FindShellTrayWindow
        PID:4644
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:82945 /prefetch:2
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4740
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
        • Checks system information in the registry (likely anti-VM)
        PID:4228
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k unistacksvcgroup
        1⤵
          PID:4600
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
          1⤵
          • Windows security modification
          PID:4580
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of FindShellTrayWindow
          PID:540
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:708
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of FindShellTrayWindow
          PID:1292
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:1528

        Network

        • 104.81.140.70:443
          fs.microsoft.com
          BITS
          3.4kB
          70.0kB
          46
          17
        • 52.109.88.39:443
          nexus.officeapps.live.com
          4.2kB
          9.8kB
          17
          11
        • 104.81.140.70:443
          fs.microsoft.com
          4.7kB
          87.8kB
          59
          25
        • 72.21.81.200:443
          iecvlist.microsoft.com
          iexplore.exe
          2.0kB
          26.0kB
          26
          9
        • 127.0.0.1:47001
          BITS
        • 104.81.140.70:443
          fs.microsoft.com
          BITS
          3.4kB
          71.1kB
          46
          16
        • 104.81.140.70:443
          fs.microsoft.com
          BITS
          3.4kB
          71.1kB
          46
          16
        • 52.109.76.31:443
          nexusrules.officeapps.live.com
          2.2kB
          7.0kB
          11
          6
        • 8.8.8.8:53
          nexus.officeapps.live.com
          85 B
          147 B
          1
          1

          DNS Request

          nexus.officeapps.live.com

          DNS Response

          52.109.88.39

        • 8.8.8.8:53
          weekends-estate.xyz
          79 B
          144 B
          1
          1

          DNS Request

          weekends-estate.xyz

        • 8.8.8.8:53
          go.microsoft.com
          76 B
          171 B
          1
          1

          DNS Request

          go.microsoft.com

          DNS Response

          23.66.21.99

        • 8.8.8.8:53
          weekends-estate.xyz
          79 B
          144 B
          1
          1

          DNS Request

          weekends-estate.xyz

        • 10.10.0.26:59808
          120 B
          1
        • 8.8.8.8:53
          weekends-estate.xyz
          79 B
          79 B
          1
          1

          DNS Request

          weekends-estate.xyz

        • 8.8.8.8:53
          iecvlist.microsoft.com
          82 B
          164 B
          1
          1

          DNS Request

          iecvlist.microsoft.com

          DNS Response

          72.21.81.200

        • 8.8.8.8:53
          fs.microsoft.com
          76 B
          283 B
          1
          1

          DNS Request

          fs.microsoft.com

          DNS Response

          104.81.140.70

        • 10.10.0.255:137
          440 B
          4
        • 8.8.8.8:53
          nexusrules.officeapps.live.com
          90 B
          155 B
          1
          1

          DNS Request

          nexusrules.officeapps.live.com

          DNS Response

          52.109.76.31

        • 8.8.8.8:53
          go.microsoft.com
          76 B
          171 B
          1
          1

          DNS Request

          go.microsoft.com

          DNS Response

          23.66.21.99

        • 8.8.8.8:53
          go.microsoft.com
          76 B
          171 B
          1
          1

          DNS Request

          go.microsoft.com

          DNS Response

          23.66.21.99

        • 8.8.8.8:53
          weekends-estate.xyz
          79 B
          144 B
          1
          1

          DNS Request

          weekends-estate.xyz

        • 8.8.8.8:53
          go.microsoft.com
          76 B
          171 B
          1
          1

          DNS Request

          go.microsoft.com

          DNS Response

          23.66.21.99

        • 8.8.8.8:53
          weekends-estate.xyz
          79 B
          144 B
          1
          1

          DNS Request

          weekends-estate.xyz

        • 239.255.255.250:1900
          1.4kB
          8
        • 8.8.8.8:53
          weekends-estate.xyz
          79 B
          144 B
          1
          1

          DNS Request

          weekends-estate.xyz

        • 8.8.8.8:53
          weekends-estate.xyz
          79 B
          144 B
          1
          1

          DNS Request

          weekends-estate.xyz

        • 239.255.255.250:1900
          SSDPSRV
        • 8.8.8.8:53
          weekends-estate.xyz
          79 B
          144 B
          1
          1

          DNS Request

          weekends-estate.xyz

        • 224.0.0.22
          62 B
          1
        • 10.10.0.32
          148 B
          1

        MITRE ATT&CK Enterprise v15

        MITRE ATT&CK Additional techniques

        • T1089
        • T1031

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4928-0-0x0000000000759000-0x000000000076C000-memory.dmp

          Filesize

          76KB

        • memory/4928-1-0x0000000000930000-0x0000000000931000-memory.dmp

          Filesize

          4KB

        • memory/4928-2-0x0000000000700000-0x000000000070F000-memory.dmp

          Filesize

          60KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.