Analysis

  • max time kernel
    145s
  • max time network
    152s
  • resource
    win10v191014

General

  • Target

    9193eaeff8fff6c8b09dc370b9e60ddab5b121a3

  • Sample

    191018-z54frb66pa

  • SHA256

    5c2f4f2893dadc75178da674dddc8c5375fa4242c76c0d99ff5f973c2822b7e6

Score
N/A

Malware Config

Extracted

Family

ursnif

Botnet

1000

C2

http://weekends-estate.xyz

Attributes
  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    1.320669898e+09

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    107.174.86.134

    107.175.127.22

rsa_pubkey.base64
serpent.plain

Signatures

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Modifies service 2 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Drops file in system dir 5 IoCs
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • ursnif family
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9193eaeff8fff6c8b09dc370b9e60ddab5b121a3.exe
    "C:\Users\Admin\AppData\Local\Temp\9193eaeff8fff6c8b09dc370b9e60ddab5b121a3.exe"
    1⤵
      PID:4904
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      PID:5116
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5116 CREDAT:82945 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1696
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Modifies service
      • Drops file in system dir
      PID:4492
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:1604
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
        • Checks system information in the registry (likely anti-VM)
        PID:4216
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k unistacksvcgroup
        1⤵
          PID:4108
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
          1⤵
          • Windows security modification
          PID:3732
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SetWindowsHookEx
          PID:2472
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2472 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4540
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SetWindowsHookEx
          PID:3392
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:424
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SetWindowsHookEx
          PID:952
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:1324

        Network

        MITRE ATT&CK Enterprise v15

        MITRE ATT&CK Additional techniques

        • T1031
        • T1089

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4904-0-0x000000000255F000-0x0000000002573000-memory.dmp

          Filesize

          80KB

        • memory/4904-1-0x0000000004240000-0x0000000004241000-memory.dmp

          Filesize

          4KB

        • memory/4904-2-0x00000000024D0000-0x00000000024DF000-memory.dmp

          Filesize

          60KB