Analysis
-
max time kernel
17s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:30
Behavioral task
behavioral1
Sample
u03062020.bin.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
u03062020.bin.dll
-
Size
576KB
-
MD5
436098e705e0c18a156441ac979a4a9c
-
SHA1
15d678fb01192792852aef1d96a2b915d75a1034
-
SHA256
b9127a38c105987631df3a245c009dc9519bb790e27e8fd6de682b89f76d7db8
-
SHA512
319321bab1b61408fd0a82cc1a16d85e39eb28d2d22e26153912a5f768b925baf0ce8b811d2c69f81804d5db1c2d421030f1c7e93fa1af5a97390654b7f759b7
Malware Config
Extracted
Family
ursnif
Attributes
- dga_base_url
-
dga_crc
0
-
dga_season
0
- dga_tlds
- dns_servers
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4020 1232 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 4020 WerFault.exe Token: SeBackupPrivilege 4020 WerFault.exe Token: SeDebugPrivilege 4020 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1108 wrote to memory of 1232 1108 rundll32.exe 69 PID 1108 wrote to memory of 1232 1108 rundll32.exe 69 PID 1108 wrote to memory of 1232 1108 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\u03062020.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\u03062020.bin.dll,#12⤵PID:1232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-