Overview

overview

10

Static

static

100000.dll

windows7_x64

10

100000.dll

windows10_x64

10

Analysis

  • max time kernel
    65s
  • max time network
    67s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    11-08-2020 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    100000.dll

  • Size

    50KB

  • MD5

    15c83c1ea197eb1889921fc281bf10c3

  • SHA1

    ef95a71fdca5820529d3dcb986ef1170e2a9fdd1

  • SHA256

    2b6fcb1b4cfb00114d2a79ae86e3406585df4ae8616e3d235c987a5100ae0ded

  • SHA512

    4ab0c1075246a9cb188d1e1c932df1c2b12f30032d1f6159a93bba0abea2714975916c57549a1fb2c90597c53420c09855626cbb27551364d49ef68fadd9e43e

Score
10/10
bankertrojanursnif

Malware Config

Extracted

Family

ursnif

Botnet

4779

C2

37.10.71.42

loaidifds.club
Attributes
  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    1.320669898e+09

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

rsa_pubkey.base64
serpent.plain

Signatures

  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\100000.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\100000.dll,#1
      2⤵
        PID:3740
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 588
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4072

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3740-0-0x0000000000000000-mapping.dmp

      Download

    • memory/3740-1-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3740-3-0x0000000000000000-mapping.dmp

      Download

    • memory/3740-4-0x0000000000000000-mapping.dmp

      Download

    • memory/3740-6-0x0000000000000000-mapping.dmp

      Download

    • memory/4072-2-0x0000000004A40000-0x0000000004A41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4072-5-0x00000000053B0000-0x00000000053B1000-memory.dmp

      Filesize

      4KB

      Download