Analysis

  • max time kernel
    146s
  • max time network
    148s
  • resource
    win10v191014

General

  • Target

    8ec9d7a0c950e4f013f9afc76d807e597d7cad9a

  • Sample

    191018-qqj5ysk7q6

  • SHA256

    506b11dd836fdbf1b8aa6e48d922ec9b8ec442cd859fc02f889cdf7ff3224aae

Score
N/A

Malware Config

Extracted

Family

ursnif

Botnet

1000

C2

http://alister-mathmatics.club

Attributes
  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    1.320669898e+09

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    107.174.86.134

    107.175.127.22

rsa_pubkey.base64
serpent.plain

Signatures

  • Windows security modification 2 TTPs 2 IoCs
  • Modifies service 2 TTPs 1 IoCs
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Drops file in system dir 5 IoCs
  • ursnif family
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ec9d7a0c950e4f013f9afc76d807e597d7cad9a.exe
    "C:\Users\Admin\AppData\Local\Temp\8ec9d7a0c950e4f013f9afc76d807e597d7cad9a.exe"
    1⤵
      PID:4784
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:4948
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4948 CREDAT:82945 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4996
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:328
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:328 CREDAT:82945 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:988
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Modifies service
      • Drops file in system dir
      PID:3700
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4500
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
        • Checks system information in the registry (likely anti-VM)
        PID:2972
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of FindShellTrayWindow
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:4120
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4120 CREDAT:82945 /prefetch:2
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4004
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k unistacksvcgroup
        1⤵
          PID:2540
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
          1⤵
          • Windows security modification
          PID:3300
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of FindShellTrayWindow
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:332
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:1124
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of FindShellTrayWindow
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:1680
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:5092

        Network

        MITRE ATT&CK Enterprise v15

        MITRE ATT&CK Additional techniques

        • T1089
        • T1031

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4784-0-0x00000000007B1000-0x00000000007C6000-memory.dmp

          Filesize

          84KB

        • memory/4784-1-0x0000000002220000-0x0000000002221000-memory.dmp

          Filesize

          4KB

        • memory/4784-2-0x00000000005C0000-0x00000000005CF000-memory.dmp

          Filesize

          60KB