Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • resource
    win10v191014

General

  • Target

    42cb5218b9b949231f3c601715e80aab3d416f91

  • Sample

    191018-ze7jdhqtg6

  • SHA256

    9732d1386be943abf76b2e558d2bb458ce48365135da9b9ded4d7cbd939f2cce

Score
N/A

Malware Config

Extracted

Family

ursnif

Botnet

500

C2

http://myhomesitter.fun

Attributes
  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    1.320669898e+09

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    107.174.86.134

    107.175.127.22

rsa_pubkey.base64
serpent.plain

Signatures

  • Modifies Internet Explorer settings 1 TTPs 54 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • ursnif family
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Modifies service 2 TTPs 1 IoCs
  • Drops file in system dir 5 IoCs
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42cb5218b9b949231f3c601715e80aab3d416f91.exe
    "C:\Users\Admin\AppData\Local\Temp\42cb5218b9b949231f3c601715e80aab3d416f91.exe"
    1⤵
      PID:4848
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:5020
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5020 CREDAT:82945 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:5072
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4332
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4332 CREDAT:82945 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4392
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4576
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4576 CREDAT:82945 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4628
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Modifies service
      • Drops file in system dir
      PID:4324
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4176
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
        • Checks system information in the registry (likely anti-VM)
        PID:440
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k unistacksvcgroup
        1⤵
          PID:4784
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
          1⤵
          • Windows security modification
          PID:1992
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:752
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:752 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:64
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1592
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1592 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:1876
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:2488
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:82945 /prefetch:2
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:3212

        Network

        MITRE ATT&CK Enterprise v16

        MITRE ATT&CK Additional techniques

        • T1031
        • T1089

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4848-0-0x00000000005DB000-0x00000000005F1000-memory.dmp

          Filesize

          88KB

        • memory/4848-1-0x0000000000990000-0x0000000000991000-memory.dmp

          Filesize

          4KB

        • memory/4848-2-0x0000000000590000-0x000000000059F000-memory.dmp

          Filesize

          60KB