ursnif | 68f87a49ca4f6f1fe31b3e26a0988f13c270c66cf45e94f2e83fd0c41b63564b

General

Target

cbc399f8957918ca58b540080687665e.bin.exe
Size

604KB
MD5

cbc399f8957918ca58b540080687665e
SHA1

66fd6764a289bbd0c070f2868b9b3dfcaf189870
SHA256

2b330d2eea637a524621dca0b18db45b53d7542d21323afed1f454f3437c4d3e
SHA512

a795587c0529e5119e81edfb7ef3480bcd2a6ef5a9e8d4982c4edcd2fdaf66fb77ed0528bc6ce13f3b3667fb6364b4710b8dc5c5843afd11ed982877ee1bf84f

Score

10^/10

banker trojan ursnif persistence spyware evasion gozi_ifsb

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cbc399f8957918ca58b540080687665e.bin.exeExplorer.EXE

pid process

1240 cbc399f8957918ca58b540080687665e.bin.exe
1244 Explorer.EXE

pid	process
1240	cbc399f8957918ca58b540080687665e.bin.exe
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

cbc399f8957918ca58b540080687665e.bin.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1240 wrote to memory of 1424	1240	cbc399f8957918ca58b540080687665e.bin.exe	control.exe
PID 1240 wrote to memory of 1424	1240	cbc399f8957918ca58b540080687665e.bin.exe	control.exe
PID 1240 wrote to memory of 1424	1240	cbc399f8957918ca58b540080687665e.bin.exe	control.exe
PID 1240 wrote to memory of 1424	1240	cbc399f8957918ca58b540080687665e.bin.exe	control.exe
PID 1240 wrote to memory of 1424	1240	cbc399f8957918ca58b540080687665e.bin.exe	control.exe
PID 1240 wrote to memory of 1424	1240	cbc399f8957918ca58b540080687665e.bin.exe	control.exe
PID 1240 wrote to memory of 1424	1240	cbc399f8957918ca58b540080687665e.bin.exe	control.exe
PID 1424 wrote to memory of 1244	1424	control.exe	Explorer.EXE
PID 1424 wrote to memory of 1244	1424	control.exe	Explorer.EXE
PID 1424 wrote to memory of 1244	1424	control.exe	Explorer.EXE
PID 1424 wrote to memory of 452	1424	control.exe	rundll32.exe
PID 1424 wrote to memory of 452	1424	control.exe	rundll32.exe
PID 1424 wrote to memory of 452	1424	control.exe	rundll32.exe
PID 1424 wrote to memory of 452	1424	control.exe	rundll32.exe
PID 1244 wrote to memory of 1056	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1056	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1056	1244	Explorer.EXE	cmd.exe
PID 1056 wrote to memory of 1044	1056	cmd.exe	nslookup.exe
PID 1056 wrote to memory of 1044	1056	cmd.exe	nslookup.exe
PID 1056 wrote to memory of 1044	1056	cmd.exe	nslookup.exe
PID 1244 wrote to memory of 1524	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1524	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1524	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1832	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1832	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1832	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1832	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1832	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1832	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1832	1244	Explorer.EXE	cmd.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

cbc399f8957918ca58b540080687665e.bin.execontrol.exeExplorer.EXE

pid process

1240 cbc399f8957918ca58b540080687665e.bin.exe
1424 control.exe
1424 control.exe
1244 Explorer.EXE

pid	process
1240	cbc399f8957918ca58b540080687665e.bin.exe
1424	control.exe
1424	control.exe
1244	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

cbc399f8957918ca58b540080687665e.bin.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 1240 set thread context of 1424	1240	cbc399f8957918ca58b540080687665e.bin.exe	control.exe
PID 1424 set thread context of 1244	1424	control.exe	Explorer.EXE
PID 1424 set thread context of 452	1424	control.exe	rundll32.exe
PID 1244 set thread context of 1832	1244	Explorer.EXE	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

pid	process
1244	Explorer.EXE

pid	process
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\activoas = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\BioCrepl\\DDORsdmo.exe"	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

pid	process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:1244
- C:\Users\Admin\AppData\Local\Temp\cbc399f8957918ca58b540080687665e.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\cbc399f8957918ca58b540080687665e.bin.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  PID:1240
- - C:\Windows\system32\control.exe
    C:\Windows\system32\control.exe /?
    3⤵
    - Suspicious use of WriteProcessMemory
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    PID:1424
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
      4⤵
      PID:452
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D4A0.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1044
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D4A0.bi1"
  2⤵
  PID:1524
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D4A0.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4A0.bi1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BioCrepl\DDORsdmo.exe

Download Submit
memory/452-5-0x00000000FFBE3CEC-mapping.dmp

Download
memory/1044-7-0x0000000000000000-mapping.dmp

Download
memory/1056-6-0x0000000000000000-mapping.dmp

Download
memory/1240-0-0x000000000539B000-0x00000000053FA000-memory.dmp

Filesize
380KB

Download
memory/1240-1-0x00000000002E0000-0x000000000032A000-memory.dmp

Filesize
296KB

Download
memory/1424-3-0x000007FFFFFDF000-mapping.dmp

Download
memory/1424-2-0x0000000000000000-mapping.dmp

Download
memory/1524-8-0x0000000000000000-mapping.dmp

Download
memory/1832-11-0x0000000000000000-mapping.dmp

Download
memory/1832-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads