Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
26/06/2020, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BScope.TrojanSpy.Ursnif.27559.dll
Resource
win7
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.BScope.TrojanSpy.Ursnif.27559.dll
-
Size
426KB
-
MD5
95d3b622d696c1a31dbef624a2e47163
-
SHA1
8a1c5a4f794af421e7b54471ed7f4a62212721a0
-
SHA256
f84e08a4d83f63cb37f7117f401c242ecbd3ebbd6b7a12fb99332bcf5950f803
-
SHA512
c3ac8a246e7d769faa21f330c5c0a0fef4c4e33a6875478e43ee891f367e90fee3ea657b08ba338f6263e38b17efe69b7c5c1c86167afc871b9a20f251fd67d1
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1460 wrote to memory of 1484 1460 rundll32.exe 24 PID 1460 wrote to memory of 1484 1460 rundll32.exe 24 PID 1460 wrote to memory of 1484 1460 rundll32.exe 24 PID 1460 wrote to memory of 1484 1460 rundll32.exe 24 PID 1460 wrote to memory of 1484 1460 rundll32.exe 24 PID 1460 wrote to memory of 1484 1460 rundll32.exe 24 PID 1460 wrote to memory of 1484 1460 rundll32.exe 24 PID 1484 wrote to memory of 1404 1484 rundll32.exe 27 PID 1484 wrote to memory of 1404 1484 rundll32.exe 27 PID 1484 wrote to memory of 1404 1484 rundll32.exe 27 PID 1484 wrote to memory of 1404 1484 rundll32.exe 27 PID 1484 wrote to memory of 1404 1484 rundll32.exe 27 PID 1484 wrote to memory of 1404 1484 rundll32.exe 27 PID 1484 wrote to memory of 1404 1484 rundll32.exe 27 PID 1484 wrote to memory of 1404 1484 rundll32.exe 27 PID 1484 wrote to memory of 1404 1484 rundll32.exe 27 PID 1404 wrote to memory of 1984 1404 msiexec.exe 30 PID 1404 wrote to memory of 1984 1404 msiexec.exe 30 PID 1404 wrote to memory of 1984 1404 msiexec.exe 30 PID 1404 wrote to memory of 1984 1404 msiexec.exe 30 PID 1984 wrote to memory of 1936 1984 cmd.exe 32 PID 1984 wrote to memory of 1936 1984 cmd.exe 32 PID 1984 wrote to memory of 1936 1984 cmd.exe 32 PID 1984 wrote to memory of 1936 1984 cmd.exe 32 PID 1404 wrote to memory of 2016 1404 msiexec.exe 33 PID 1404 wrote to memory of 2016 1404 msiexec.exe 33 PID 1404 wrote to memory of 2016 1404 msiexec.exe 33 PID 1404 wrote to memory of 2016 1404 msiexec.exe 33 PID 2016 wrote to memory of 1988 2016 cmd.exe 35 PID 2016 wrote to memory of 1988 2016 cmd.exe 35 PID 2016 wrote to memory of 1988 2016 cmd.exe 35 PID 2016 wrote to memory of 1988 2016 cmd.exe 35 PID 1988 wrote to memory of 1188 1988 net.exe 36 PID 1988 wrote to memory of 1188 1988 net.exe 36 PID 1988 wrote to memory of 1188 1988 net.exe 36 PID 1988 wrote to memory of 1188 1988 net.exe 36 PID 1404 wrote to memory of 1332 1404 msiexec.exe 37 PID 1404 wrote to memory of 1332 1404 msiexec.exe 37 PID 1404 wrote to memory of 1332 1404 msiexec.exe 37 PID 1404 wrote to memory of 1332 1404 msiexec.exe 37 PID 1332 wrote to memory of 1260 1332 cmd.exe 39 PID 1332 wrote to memory of 1260 1332 cmd.exe 39 PID 1332 wrote to memory of 1260 1332 cmd.exe 39 PID 1332 wrote to memory of 1260 1332 cmd.exe 39 PID 1404 wrote to memory of 368 1404 msiexec.exe 40 PID 1404 wrote to memory of 368 1404 msiexec.exe 40 PID 1404 wrote to memory of 368 1404 msiexec.exe 40 PID 1404 wrote to memory of 368 1404 msiexec.exe 40 PID 368 wrote to memory of 756 368 cmd.exe 42 PID 368 wrote to memory of 756 368 cmd.exe 42 PID 368 wrote to memory of 756 368 cmd.exe 42 PID 368 wrote to memory of 756 368 cmd.exe 42 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1484 set thread context of 1404 1484 rundll32.exe 27 -
Modifies service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas ipconfig.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs ipconfig.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 1404 msiexec.exe Token: SeSecurityPrivilege 1404 msiexec.exe -
Blacklisted process makes network request 17 IoCs
flow pid Process 7 1404 msiexec.exe 8 1404 msiexec.exe 9 1404 msiexec.exe 10 1404 msiexec.exe 11 1404 msiexec.exe 12 1404 msiexec.exe 13 1404 msiexec.exe 14 1404 msiexec.exe 15 1404 msiexec.exe 16 1404 msiexec.exe 17 1404 msiexec.exe 18 1404 msiexec.exe 19 1404 msiexec.exe 20 1404 msiexec.exe 21 1404 msiexec.exe 22 1404 msiexec.exe 23 1404 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1404 msiexec.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 1260 net.exe 756 net.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.TrojanSpy.Ursnif.27559.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.TrojanSpy.Ursnif.27559.dll,#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1484 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1404 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all4⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Modifies service
PID:1936
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation4⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\net.exenet config workstation5⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation6⤵PID:1188
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all4⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\net.exenet view /all5⤵
- Discovers systems in the same network
PID:1260
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain4⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\net.exenet view /all /domain5⤵
- Discovers systems in the same network
PID:756
-
-
-
-