Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    137s
  • max time network
    142s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8ec9d7a0c950e4f013f9afc76d807e597d7cad9a

  • Sample

    191018-qqj5ysk7q6

  • SHA256

    506b11dd836fdbf1b8aa6e48d922ec9b8ec442cd859fc02f889cdf7ff3224aae

Score
N/A

Malware Config

Extracted

Family

ursnif

Botnet

1000

C2

http://alister-mathmatics.club

Attributes
  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    1.320669898e+09

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    107.174.86.134

    107.175.127.22

rsa_pubkey.base64
1
AAgAANbmcBjNV5tiTgWcPhRrJgQb0kYFfNBWiuaU1J/dJsUiz22VcOLdUDhcUyPN2+UzuwTaogL0vmF9dmRYMI9x6oN/BuzJHLUNqZ/gNh+m2JOChNoIfEGh3N/ijmoEyzeSWf6w7TUqNKZbAAO3TqtXbZ2uKNxL/EHMkS2Ga4fTWv0DlleQejqdZMAKWVnDf8c51Goj2tatdUCuKVfECoOg1QzfXu6NBqT0l3aQ+85KMqaoaIZSf+Sqfy5k0geIgEn7DLO+iGf9gh6xPLQkXX0Z9uMT9GUnz559bt/meLxxF2YsLvQlRl/v8Avr+Kb6BIoetITREEBoDXFbwyhJNrPa2qEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAB
serpent.plain
1
YQiUrgpfMGxlbXo6

Signatures

  • ursnif family
    family
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ec9d7a0c950e4f013f9afc76d807e597d7cad9a.exe
    "C:\Users\Admin\AppData\Local\Temp\8ec9d7a0c950e4f013f9afc76d807e597d7cad9a.exe"
    1⤵
      PID:1068
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      PID:364
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:364 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1952
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      PID:1076
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1428
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      PID:1740
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1284
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      PID:1180
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1064
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      PID:1176
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1664

    Network

    No results found
    • 10.7.0.255:137
      2.4kB
       26
    • 224.0.0.252:5355
      132 B
       2
    • 8.8.8.8:53
      go.microsoft.com
      76 B
       171 B
       1
      1

      DNS Request

      go.microsoft.com

      DNS Response

      23.66.21.99

    • 8.8.8.8:53
      go.microsoft.com
      380 B
       5

      DNS Request

      go.microsoft.com

      DNS Request

      go.microsoft.com

      DNS Request

      go.microsoft.com

      DNS Request

      go.microsoft.com

      DNS Request

      go.microsoft.com

    • 8.8.8.8:53
      dns.msftncsi.com
      76 B
       104 B
       1
      1

      DNS Request

      dns.msftncsi.com

      DNS Response

      fd3e:4f5a:5b81::1

    • 224.0.0.252:5355
      128 B
       2
    • 224.0.0.252:5355
      132 B
       2
    • 8.8.8.8:53
      go.microsoft.com
      76 B
       171 B
       1
      1

      DNS Request

      go.microsoft.com

      DNS Response

      23.66.21.99

    • 8.8.8.8:53
      alister-mathmatics.club
      83 B
       153 B
       1
      1

      DNS Request

      alister-mathmatics.club

    • 224.0.0.252:5355
      128 B
       2
    • 224.0.0.252:5355
      128 B
       2
    • 224.0.0.252:5355
      128 B
       2
    • 8.8.8.8:53
      go.microsoft.com
      76 B
       171 B
       1
      1

      DNS Request

      go.microsoft.com

      DNS Response

      23.66.21.99

    • 224.0.0.252:5355
      128 B
       2
    • 239.255.255.250:1900
      1.1kB
       6
    • 239.255.255.250:1900
    • 8.8.8.8:53
      dns.msftncsi.com
      76 B
       92 B
       1
      1

      DNS Request

      dns.msftncsi.com

      DNS Response

      131.107.255.255

    • 8.8.8.8:53
      go.microsoft.com
      76 B
       171 B
       1
      1

      DNS Request

      go.microsoft.com

      DNS Response

      23.66.21.99

    • 224.0.0.22
      120 B
       2

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1068-0-0x0000000000586000-0x000000000059B000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1068-1-0x0000000001DA0000-0x0000000001DB1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1068-2-0x0000000000230000-0x000000000023F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1952-3-0x0000000006040000-0x0000000006063000-memory.dmp

      Filesize

      140KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.