Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
26/06/2020, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BScope.TrojanSpy.Ursnif.27559.dll
Resource
win7
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.BScope.TrojanSpy.Ursnif.27559.dll
-
Size
426KB
-
MD5
95d3b622d696c1a31dbef624a2e47163
-
SHA1
8a1c5a4f794af421e7b54471ed7f4a62212721a0
-
SHA256
f84e08a4d83f63cb37f7117f401c242ecbd3ebbd6b7a12fb99332bcf5950f803
-
SHA512
c3ac8a246e7d769faa21f330c5c0a0fef4c4e33a6875478e43ee891f367e90fee3ea657b08ba338f6263e38b17efe69b7c5c1c86167afc871b9a20f251fd67d1
Malware Config
Signatures
-
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 2300 net.exe 3540 net.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 3136 wrote to memory of 516 3136 rundll32.exe 66 PID 3136 wrote to memory of 516 3136 rundll32.exe 66 PID 3136 wrote to memory of 516 3136 rundll32.exe 66 PID 516 wrote to memory of 2828 516 rundll32.exe 73 PID 516 wrote to memory of 2828 516 rundll32.exe 73 PID 516 wrote to memory of 2828 516 rundll32.exe 73 PID 516 wrote to memory of 2828 516 rundll32.exe 73 PID 516 wrote to memory of 2828 516 rundll32.exe 73 PID 2828 wrote to memory of 3852 2828 msiexec.exe 74 PID 2828 wrote to memory of 3852 2828 msiexec.exe 74 PID 2828 wrote to memory of 3852 2828 msiexec.exe 74 PID 3852 wrote to memory of 2184 3852 cmd.exe 76 PID 3852 wrote to memory of 2184 3852 cmd.exe 76 PID 3852 wrote to memory of 2184 3852 cmd.exe 76 PID 2828 wrote to memory of 2988 2828 msiexec.exe 77 PID 2828 wrote to memory of 2988 2828 msiexec.exe 77 PID 2828 wrote to memory of 2988 2828 msiexec.exe 77 PID 2988 wrote to memory of 3340 2988 cmd.exe 79 PID 2988 wrote to memory of 3340 2988 cmd.exe 79 PID 2988 wrote to memory of 3340 2988 cmd.exe 79 PID 3340 wrote to memory of 2812 3340 net.exe 80 PID 3340 wrote to memory of 2812 3340 net.exe 80 PID 3340 wrote to memory of 2812 3340 net.exe 80 PID 2828 wrote to memory of 1344 2828 msiexec.exe 81 PID 2828 wrote to memory of 1344 2828 msiexec.exe 81 PID 2828 wrote to memory of 1344 2828 msiexec.exe 81 PID 1344 wrote to memory of 2300 1344 cmd.exe 83 PID 1344 wrote to memory of 2300 1344 cmd.exe 83 PID 1344 wrote to memory of 2300 1344 cmd.exe 83 PID 2828 wrote to memory of 1480 2828 msiexec.exe 84 PID 2828 wrote to memory of 1480 2828 msiexec.exe 84 PID 2828 wrote to memory of 1480 2828 msiexec.exe 84 PID 1480 wrote to memory of 3540 1480 cmd.exe 86 PID 1480 wrote to memory of 3540 1480 cmd.exe 86 PID 1480 wrote to memory of 3540 1480 cmd.exe 86 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2828 msiexec.exe Token: SeSecurityPrivilege 2828 msiexec.exe -
Blacklisted process makes network request 18 IoCs
flow pid Process 8 2828 msiexec.exe 9 2828 msiexec.exe 10 2828 msiexec.exe 11 2828 msiexec.exe 12 2828 msiexec.exe 13 2828 msiexec.exe 14 2828 msiexec.exe 15 2828 msiexec.exe 16 2828 msiexec.exe 17 2828 msiexec.exe 18 2828 msiexec.exe 19 2828 msiexec.exe 20 2828 msiexec.exe 21 2828 msiexec.exe 22 2828 msiexec.exe 23 2828 msiexec.exe 24 2828 msiexec.exe 25 2828 msiexec.exe -
Runs net.exe
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 516 set thread context of 2828 516 rundll32.exe 73 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2828 msiexec.exe 2828 msiexec.exe 2828 msiexec.exe 2828 msiexec.exe 2828 msiexec.exe 2828 msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.TrojanSpy.Ursnif.27559.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.TrojanSpy.Ursnif.27559.dll,#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:516 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2828 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all4⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵PID:2184
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation4⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\net.exenet config workstation5⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation6⤵PID:2812
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all4⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\net.exenet view /all5⤵
- Discovers systems in the same network
PID:2300
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain4⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\net.exenet view /all /domain5⤵
- Discovers systems in the same network
PID:3540
-
-
-
-