Analysis
-
max time kernel
150s -
max time network
153s -
resource
win7v191014
Task
task1
Sample
9193eaeff8fff6c8b09dc370b9e60ddab5b121a3.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
9193eaeff8fff6c8b09dc370b9e60ddab5b121a3.exe
Resource
win10v191014
0 signatures
General
-
Target
9193eaeff8fff6c8b09dc370b9e60ddab5b121a3
-
Sample
191018-z54frb66pa
-
SHA256
5c2f4f2893dadc75178da674dddc8c5375fa4242c76c0d99ff5f973c2822b7e6
Score
N/A
Malware Config
Extracted
Family
ursnif
Botnet
1000
C2
http://weekends-estate.xyz
Attributes
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
1.320669898e+09
-
dga_season
10
-
dga_tlds
com
ru
org
-
dns_servers
107.174.86.134
107.175.127.22
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 308 iexplore.exe 1948 iexplore.exe 1124 iexplore.exe 1580 iexplore.exe 1724 iexplore.exe -
ursnif family
-
description ioc pid Process Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 308 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6E33A6C1-F1DD-11E9-B942-7EE986143E30} = "0" 308 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 308 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 308 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 308 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 308 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" 308 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000eddca10fda49d892bf26957458a86cec4140b6e68172c8ae7a99cf9243c41446000000000e8000000002000020000000ab3991806aabf01cce988abbbba0c498beb1a87607b161399d1a6e84f5f53dc4200000001aaefac7358f48c68626e795a61af86aeaa592b2b8fd92bfecd62b8c196364fb40000000aa6b88ed8e3e5253344873132884477ce61ac482882fe0cb9c44c63f37419c1cc970ee74a96e66324a21828bf651013a4208c9cb7ba48ff5ccde07d21861ff1a 308 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7026eb4fea85d501 308 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000394ac50ce2ba3ad9a4ff5b6bd286fb1e6cde65faeea3ba2ae8838dbbe3267ccd000000000e80000000020000200000002eb91048070a53092892c701b2f8d44e805019b0f433cda8ff34837975d2f99090000000075d773d2174d2573b56e4508a3596e4eb43d5a06057b47311185d5bf99291b3ca989d89d38b730a8e6820419fdfccdcfc1e08eb083f2d960475580117a7959aeaa0deaedea84afcf03136dcd94af37f67c3b9d3ff9c9a0cc9d415949e5948b3982dcd8aea9355b1a1e4c2339a0d7385eb408c0182227745adb9c1880bcbda9de6ae64d32ab4c87a98e8431d596b3fec40000000b0fd7acd87603cbac03690f829e8311374d543f190ef8c7c958156bf0979ce8eab386654171d386947295002937d78d535c6a3bc9ec0624d0aa4c87d68af353a 308 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 1948 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{93C1F861-F1DD-11E9-B942-7EE986143E30} = "0" 1948 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1948 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 1948 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 1948 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 1948 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 1124 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A133FCA1-F1DD-11E9-B942-7EE986143E30} = "0" 1124 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1124 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 1124 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 1124 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 1124 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 1580 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AEA13E21-F1DD-11E9-B942-7EE986143E30} = "0" 1580 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1580 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 1580 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 1580 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 1580 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" 1724 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC799D81-F1DD-11E9-B942-7EE986143E30} = "0" 1724 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1724 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" 1724 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" 1724 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" 1724 iexplore.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 308 wrote to memory of 1980 308 iexplore.exe 29 PID 1948 wrote to memory of 1396 1948 iexplore.exe 32 PID 1124 wrote to memory of 1100 1124 iexplore.exe 34 PID 1580 wrote to memory of 1264 1580 iexplore.exe 38 PID 1724 wrote to memory of 1988 1724 iexplore.exe 40 -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 308 iexplore.exe 1980 IEXPLORE.EXE 1948 iexplore.exe 1396 IEXPLORE.EXE 1124 iexplore.exe 1100 IEXPLORE.EXE 1580 iexplore.exe 1264 IEXPLORE.EXE 1724 iexplore.exe 1988 IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9193eaeff8fff6c8b09dc370b9e60ddab5b121a3.exe"C:\Users\Admin\AppData\Local\Temp\9193eaeff8fff6c8b09dc370b9e60ddab5b121a3.exe"1⤵PID:1784
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:308
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:308 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1980
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1948
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1396
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1124
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1124 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1100
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1580
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1264
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1724
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:21⤵
- Suspicious use of SetWindowsHookEx
PID:1988