Analysis
-
max time kernel
144s -
max time network
151s -
resource
win7v191014
Task
task1
Sample
d0a308811bd0cf98b7f3c13328f34e192ae9f07c.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
d0a308811bd0cf98b7f3c13328f34e192ae9f07c.exe
Resource
win10v191014
0 signatures
General
-
Target
d0a308811bd0cf98b7f3c13328f34e192ae9f07c
-
Sample
191018-dhmnstln9e
-
SHA256
749d9f1bd425a9b49b9ad6e4bcdcb1954de0ad97d6b1506f1fd41ca62ff196c6
Score
N/A
Malware Config
Extracted
Family
ursnif
Botnet
500
C2
http://myhomesitter.fun
Attributes
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
1.320669898e+09
-
dga_season
10
-
dga_tlds
com
ru
org
-
dns_servers
107.174.86.134
107.175.127.22
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exepid Process 828 iexplore.exe 1324 iexplore.exe 1608 iexplore.exe 1184 iexplore.exe 1788 iexplore.exe -
ursnif family
-
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exedescription ioc pid Process Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 828 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7FE3D981-F1DD-11E9-860E-E6D1FCC984C6} = "0" 828 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 828 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 828 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 828 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 828 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" 828 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee000000000200000000001066000000010000200000001212f102d73f5dada7eeb09c04c6f6edfa04565f70d1260eb8aa4833ff50ca26000000000e800000000200002000000016b310765856c202e3dd3b7a638983093403760f2f1a89278d8f5f136faac24720000000d0103a9adfccbd29d033f3d01f8f30e2dd735ff1bb1a47ebd935fa9592df3c4c40000000d70172827f634abb7c9f35d3a94bd7bd224de0b495ffdf9c8d933958a38a72587c8f73be0de3ce49f25f79996d8580e41e6b9f0d92a7d9e21a1077c711c056c5 828 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c07f9759ea85d501 828 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee000000000200000000001066000000010000200000003846346c8d94eca46601582acc1dfd6097eae2408922d7c511f706d3c2deca53000000000e80000000020000200000002e0dd1ebed95a945ddebe06e83e44ad9a21cfb424855f6782032a8b960a77cb690000000a57cef676921ba6d333284a0ebee96524d266f607dd969c2db7f19aa8c32be339c34acf6ede54d7bec326195bb1ac3b4fdb8d3c1c0983df92b9bb93107776c670308ed0d57382c5a482bb9075e5320f428caa12b2346b6f7f79189b058368e6685971e00aa2df061a5766df2301df2679c3afb356dd3f75bf73da25e08c5d69a2721d6f7d05d8496d7f5a4b113ec9413400000005a043d0932a9ca75af53732d9850a46b799475504587fe9cc6117b5c50d03e621322645ff1aef4bd32de09d45b6d89d9907bcf7da70c952e9ec010c2f1a0f2d0 828 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 1324 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9DA046C1-F1DD-11E9-860E-E6D1FCC984C6} = "0" 1324 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1324 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 1324 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 1324 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 1324 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 1608 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB0B26E1-F1DD-11E9-860E-E6D1FCC984C6} = "0" 1608 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1608 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 1608 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 1608 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 1608 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 1184 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B8BD7041-F1DD-11E9-860E-E6D1FCC984C6} = "0" 1184 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1184 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 1184 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 1184 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 1184 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 1788 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C6721B01-F1DD-11E9-860E-E6D1FCC984C6} = "0" 1788 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1788 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 1788 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 1788 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 1788 iexplore.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exedescription pid Process procid_target PID 828 wrote to memory of 1512 828 iexplore.exe 29 PID 1324 wrote to memory of 1320 1324 iexplore.exe 32 PID 1608 wrote to memory of 608 1608 iexplore.exe 34 PID 1184 wrote to memory of 1344 1184 iexplore.exe 38 PID 1788 wrote to memory of 1040 1788 iexplore.exe 40 -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEpid Process 828 iexplore.exe 1512 IEXPLORE.EXE 1324 iexplore.exe 1320 IEXPLORE.EXE 1608 iexplore.exe 608 IEXPLORE.EXE 1184 iexplore.exe 1344 IEXPLORE.EXE 1788 iexplore.exe 1040 IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0a308811bd0cf98b7f3c13328f34e192ae9f07c.exe"C:\Users\Admin\AppData\Local\Temp\d0a308811bd0cf98b7f3c13328f34e192ae9f07c.exe"1⤵PID:1116
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:828
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1512
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1324
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1320
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1608
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:608
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1184
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1344
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1788
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1040