Overview

overview

10

Static

static

run.bat

windows7_x64

10

run.bat

windows10_x64

1

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-11-2020 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run.bat

  • Size

    32B

  • MD5

    620730fa5833ca62711e01172f9767c4

  • SHA1

    402d21e79fb264be16ed69f6d07d9e35bdd8fb91

  • SHA256

    5e6b3126b585d6cbc03f0f2f03487cbf48519476407064a61ec0652cfc4172ea

  • SHA512

    62c8dc846c1c18bbac254b4c48d84627646fe81bf68b7c69a8fe694706cdad3632558f7db11abbb6fd67f26c30f0fb32819374b02b3cb1d49ab455cd99d7f0de

Score
10/10
ursnif_rm3bankertrojan

Malware Config

Signatures

  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Modifies Internet Explorer settings 1 TTPs 198 IoCs
    adwarespyware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\system32\regsvr32.exe
      regsvr32 -s 10.11nov322.gif.dll
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\SysWOW64\regsvr32.exe
        -s 10.11nov322.gif.dll
        3⤵
          PID:1292
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:564 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:524
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:752 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:528
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1656
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1012
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1184
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x558
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1440
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:976 CREDAT:275457 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:1620
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:275457 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:1836
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:268

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
        MD5

        a69fba04d9b13e82fb772d1b38b6054a

        SHA1

        f7ab8c1d32ddc58e13f65f9b8bb0cc844f164454

        SHA256

        733d04f9d9e1fdf85914f097cca3f8bfb3926c38a7ccf69e7c74d887abbc64ff

        SHA512

        6fae50c73cc08c48d5ecb6814785f82c46ded1dc00ba9a8b02a9b2bd907a10bba6015e0a5753487a12765db242162ce4f822bf5d3381a71ae2143c9f5d34669a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        8db13ff0465d088f34cf0545de92826d

        SHA1

        a079dfb936d16010c0ead2f69bb4a8fdb90ac13f

        SHA256

        c8a9be35d4276c7c6ba6a0295d5085df629a6019bd7237b060f66d9a076cc254

        SHA512

        8d2de3266e5a41afa0c8d284101d0f658bc0b3a334348d484da336e8c2d8457ae159447baf792c2b6383c1b51a848adeb9651560d4925e3d2d7379d473f5289a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
        MD5

        016f713b4f33f884f35d427babf3bdcf

        SHA1

        3c23e315cfd71dab6b3b3eb931f46e7682402a77

        SHA256

        d7e7cc417bb7718532e7c9a9681b67c4bf54a0959ee92ca8079bb9459f1201f8

        SHA512

        2c4e6a4042883a7b003d28a8a2b975d82db782221a4cce4bcb29c8e95efb02511dc159ce1b33a813d459cad3a1ab53e16fbcd429c3763d63874205402c558dd1

        Download Submit
      • memory/268-22-0x0000000000000000-mapping.dmp
        Download
      • memory/288-3-0x000007FEF6260000-0x000007FEF64DA000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/524-4-0x0000000000000000-mapping.dmp
        Download
      • memory/524-6-0x00000000050E0000-0x00000000050E3000-memory.dmp
        Filesize

        12KB

        Download
      • memory/524-5-0x00000000073C0000-0x00000000073E3000-memory.dmp
        Filesize

        140KB

        Download
      • memory/528-7-0x0000000000000000-mapping.dmp
        Download
      • memory/1184-14-0x0000000000000000-mapping.dmp
        Download
      • memory/1264-0-0x0000000000000000-mapping.dmp
        Download
      • memory/1292-2-0x0000000000190000-0x00000000001A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1292-1-0x0000000000000000-mapping.dmp
        Download
      • memory/1440-16-0x0000000000000000-mapping.dmp
        Download
      • memory/1620-18-0x0000000000000000-mapping.dmp
        Download
      • memory/1656-12-0x0000000000000000-mapping.dmp
        Download
      • memory/1836-20-0x0000000000000000-mapping.dmp
        Download