Analysis

  • max time kernel
    143s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    27-10-2020 10:58

General

  • Target

    94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3.exe

  • Size

    1.4MB

  • MD5

    cf960a758eaedcd2b6e110a3ab359d9e

  • SHA1

    54bd36675e88cc21dc125942c1474625a86cd83f

  • SHA256

    94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3

  • SHA512

    06277298a92a283f21e8c2e8b095723d84ee758de86c0c3684ee0316d2b3f5c13dcf7263f7b7d9c53387ebe9d32c2c056cd8eebc43124d9a45dcc9df116b7086

Malware Config

Signatures

  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

  • Modifies Internet Explorer settings 1 TTPs 126 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3.exe
    "C:\Users\Admin\AppData\Local\Temp\94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3.exe"
    1⤵
      PID:1496
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:268
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:556 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1156
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1448
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:888
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1564

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
      MD5

      9c8803157da472557f25514b484e123e

      SHA1

      0c6f830fe60b615f1543eee6755bbe7bad1fc25b

      SHA256

      c0e6e5ae60ed8ed5918f5bec491bdf51a3c47ccd46d4cb0e4ac1e8896fa5551b

      SHA512

      c41dcc9c756c102c6521e44f1937e054de804a20378443733463a754dd944bcbac97ca9ff7b0b649e5b5c2072826877081871808b442ac5a7a92ba335daa6c78

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      f5e6f7f600a073bb08d89c84aee4c482

      SHA1

      98cc8aca94a28704185a4d33617e2143f8e0fe50

      SHA256

      cb29723cec50ad69ced2b55ac1221579126f0a78af02aff3336ee16750219230

      SHA512

      fdda26259d1f6edce55cc3df3b1e24d2c8925ba489b71d5b4dcb1d383ba53fc75add06e75c8a86cf4725287e5c961e28969c129c5db7b28a0112e0f7b83df357

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
      MD5

      bd6aed9a4736520f390b07e2f4830538

      SHA1

      361c0bd4f4a92aff4ec5a3bf684a949104e164cc

      SHA256

      078f40f5cf11058d0a4be90075ccd14471be9910370a2929e3d5cae3695e78f3

      SHA512

      7f8379e4cd8a9cf31d421a823004c5549e6fbbd80562849235d62f528dc9fef9be0f5df9965d18376c28c725c3cdc90f3452340293a9ac6cf642f23a67ff81b9

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9sinn1d\imagestore.dat
      MD5

      939e7d52deb3eb1d35e6bdad7d8f54f0

      SHA1

      333e4d9b4b00e78d5da5d799decd6f0d8face1ad

      SHA256

      b912515457694b73c9531a2e40cd234ab95b14c757172f42a012d6f8fe089e28

      SHA512

      426cdaeea6bb74ee11ee0028ce37aac498acfa278b50a442329fef69ba970d9a421e13958fa85ba80155af60b9f5ad60160c823c21cef6adfa4da063d15e42bc

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9sinn1d\imagestore.dat
      MD5

      939e7d52deb3eb1d35e6bdad7d8f54f0

      SHA1

      333e4d9b4b00e78d5da5d799decd6f0d8face1ad

      SHA256

      b912515457694b73c9531a2e40cd234ab95b14c757172f42a012d6f8fe089e28

      SHA512

      426cdaeea6bb74ee11ee0028ce37aac498acfa278b50a442329fef69ba970d9a421e13958fa85ba80155af60b9f5ad60160c823c21cef6adfa4da063d15e42bc

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9sinn1d\imagestore.dat
      MD5

      939e7d52deb3eb1d35e6bdad7d8f54f0

      SHA1

      333e4d9b4b00e78d5da5d799decd6f0d8face1ad

      SHA256

      b912515457694b73c9531a2e40cd234ab95b14c757172f42a012d6f8fe089e28

      SHA512

      426cdaeea6bb74ee11ee0028ce37aac498acfa278b50a442329fef69ba970d9a421e13958fa85ba80155af60b9f5ad60160c823c21cef6adfa4da063d15e42bc

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9sinn1d\imagestore.dat
      MD5

      939e7d52deb3eb1d35e6bdad7d8f54f0

      SHA1

      333e4d9b4b00e78d5da5d799decd6f0d8face1ad

      SHA256

      b912515457694b73c9531a2e40cd234ab95b14c757172f42a012d6f8fe089e28

      SHA512

      426cdaeea6bb74ee11ee0028ce37aac498acfa278b50a442329fef69ba970d9a421e13958fa85ba80155af60b9f5ad60160c823c21cef6adfa4da063d15e42bc

    • memory/268-4-0x0000000004490000-0x0000000004493000-memory.dmp
      Filesize

      12KB

    • memory/268-3-0x00000000065C0000-0x00000000065E3000-memory.dmp
      Filesize

      140KB

    • memory/268-2-0x0000000000000000-mapping.dmp
    • memory/888-14-0x0000000000000000-mapping.dmp
    • memory/1156-5-0x0000000000000000-mapping.dmp
    • memory/1440-1-0x000007FEF76E0000-0x000007FEF795A000-memory.dmp
      Filesize

      2.5MB

    • memory/1448-11-0x0000000000000000-mapping.dmp
    • memory/1496-0-0x0000000000240000-0x0000000000252000-memory.dmp
      Filesize

      72KB

    • memory/1564-17-0x0000000000000000-mapping.dmp