Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    04-06-2020 19:14

General

  • Target

    648a561dce7339c481ee358a6b72a71ad76a5f51362b501a3e385b2b69ff7d8e.exe

  • Size

    460KB

  • MD5

    06a9c78510edcd2d4157d65274083a59

  • SHA1

    a21bd8d57c47ad2a451de5100809569e295d0c67

  • SHA256

    648a561dce7339c481ee358a6b72a71ad76a5f51362b501a3e385b2b69ff7d8e

  • SHA512

    c320513ba00c3d3a9991201a57ec2bcbd0f59ea5b2b95003f00d56888b013e1dc4a081e82fe5ee58719b4c50d85640f98848742f0345f2cd264580cbf5fa8546

Malware Config

Signatures

  • Checks whether UAC is enabled 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

  • Suspicious use of WriteProcessMemory 8 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\648a561dce7339c481ee358a6b72a71ad76a5f51362b501a3e385b2b69ff7d8e.exe
    "C:\Users\Admin\AppData\Local\Temp\648a561dce7339c481ee358a6b72a71ad76a5f51362b501a3e385b2b69ff7d8e.exe"
    1⤵
      PID:1492
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Checks whether UAC is enabled
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      PID:1796
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:275457 /prefetch:2
        2⤵
        • Checks whether UAC is enabled
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1844
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:472074 /prefetch:2
        2⤵
        • Checks whether UAC is enabled
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1904

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DRG3EK50.txt
    • memory/1492-0-0x0000000000220000-0x0000000000236000-memory.dmp
      Filesize

      88KB

    • memory/1844-1-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
      Filesize

      4KB

    • memory/1844-2-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
      Filesize

      4KB

    • memory/1844-5-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
      Filesize

      4KB

    • memory/1844-7-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
      Filesize

      4KB

    • memory/1844-23-0x0000000002C80000-0x0000000002C82000-memory.dmp
      Filesize

      8KB

    • memory/1844-26-0x0000000002C80000-0x0000000002C82000-memory.dmp
      Filesize

      8KB

    • memory/1844-28-0x0000000002C80000-0x0000000002C82000-memory.dmp
      Filesize

      8KB