Overview

overview

10

Static

static

Dori.ocx.dll

windows7_x64

10

Dori.ocx.dll

windows10_x64

8

Analysis

  • max time kernel
    124s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-11-2020 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dori.ocx.dll

  • Size

    141KB

  • MD5

    745868c40e6f1d1d40ae60335417f6d7

  • SHA1

    cfe42b4014fc22596b4305271c4a133492603349

  • SHA256

    7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93

  • SHA512

    fae585aa131dfa0c5063991fe13938f73c83d78b43ee142ca39e767ec7db6ec7bb419522b4c0c6c210163b05e95db896388446dd8b70b7a29d4c6fe31d130b18

Score
10/10
ursnif_rm3bankertrojan

Malware Config

Signatures

  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Blacklisted process makes network request 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 58 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1248
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dori.ocx.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dori.ocx.dll,#1
          3⤵
          • Blacklisted process makes network request
          PID:1300
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\system32\forfiles.exe
          forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1364
          • C:\Windows\system32\cmd.exe
            /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1988
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA
              5⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1592
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ebrswlgx\ebrswlgx.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1752
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7771.tmp" "c:\Users\Admin\AppData\Local\Temp\ebrswlgx\CSCDB1E33216B9B466BA644D185ECBDED3.TMP"
                  7⤵
                    PID:2028
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3212vfoz\3212vfoz.cmdline"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1916
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7899.tmp" "c:\Users\Admin\AppData\Local\Temp\3212vfoz\CSCE3CEBCDC79B740E599C16C465A374F59.TMP"
                    7⤵
                      PID:1700
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\Users\Admin\AppData\Local\Temp\Dori.ocx.dll"
            2⤵
            • Deletes itself
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              3⤵
              • Delays execution with timeout.exe
              PID:2004
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1896
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1144
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1836
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1836 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:760

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
          MD5

          a69fba04d9b13e82fb772d1b38b6054a

          SHA1

          f7ab8c1d32ddc58e13f65f9b8bb0cc844f164454

          SHA256

          733d04f9d9e1fdf85914f097cca3f8bfb3926c38a7ccf69e7c74d887abbc64ff

          SHA512

          6fae50c73cc08c48d5ecb6814785f82c46ded1dc00ba9a8b02a9b2bd907a10bba6015e0a5753487a12765db242162ce4f822bf5d3381a71ae2143c9f5d34669a

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          e959ef572697f11b81ed9ce04fd804dd

          SHA1

          0063dc3996f5a192ee2a46d538db83109cacdf05

          SHA256

          2f68a16f0c5592971444ab41e4b06fc4a8cbe436becf4426f6e85a7faaf703f5

          SHA512

          e91ba60dc23e479205381b5d3835171a76a1b80e8ec19e155276e214adfb862674b9f94eb70709ad2d5afc4f4ade8cc11cacae243f02cddded2ed04396b5d743

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
          MD5

          d27a4c8f6a43624d8fbce4299ebe10af

          SHA1

          bdbd07c1e86ad14985fec133a02c9f6d9a52bb87

          SHA256

          a3894442be8d2958c2e411305b00d907d283fb748254fc0b1b0825df906e86d9

          SHA512

          8edb53d5c4b9bf3c4001dc1c4d43ad6dff515428697750f80870b49e0523aff6ee30045f4e5a2915a3c26eabe8bff5f70f6e235ca6713a4bdd7f67ff85b7b28c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
          MD5

          cc0dcfb29fddd63fe43fd1c273b4feea

          SHA1

          131304913bf9ac8a9a1c660ccdf6d1de81b0ece9

          SHA256

          9122e2bd8d65e3deef9688a80f1be7d41e09c7d5080e2532cae8a35641921358

          SHA512

          0faebb66dce18c9851a4a6c8097a8592684528346edcf9b6189511ddffb8b723f6d8630c082dc5c1092da330925667f84e7d4999cfd397848884cd81489ba724

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\favicon[1].ico
          MD5

          a976d227e5d1dcf62f5f7e623211dd1b

          SHA1

          a2a9dc1abdd3d888484678663928cb024c359ee6

          SHA256

          66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271

          SHA512

          6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3212vfoz\3212vfoz.dll
          MD5

          0d715565cc2a4ec4343d14eca418b8f9

          SHA1

          4f284c5ca918faa8e70c240bc250241f81cc16bd

          SHA256

          49b1f59605b39a226d94e4b03b68ad10bfbd673dc8109104c43e351dfc5d6a13

          SHA512

          5ddb11dcf43d26276579efa9531e4f1e63ac55675015fa43df924b7e0b1f8a34d2f15bec8c089e99c9ec3480a51eee4822d7a1656a0a8fef871c0e58d3460137

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RES7771.tmp
          MD5

          24f9d86aa507d6d9c4425eeb499f50ef

          SHA1

          6b276051420ddaa92498191693e338fb55a356c7

          SHA256

          bb83aef4041f1b4d9e865571f6c0a7b7b9fb6998eecb690f6b270ad6893902e5

          SHA512

          3ce13d2e3bed81ee878aa8d507cd1625d5c31e773a165421f873920e35fba2a7be05dd348cb6ea53f1552b568a1750a1c2130a960f071a157ed41087e0f46f0f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RES7899.tmp
          MD5

          a3e6b205d2716e682d79db5574daea2c

          SHA1

          c233753ed3a6a7877184b2407baeb0a83f925250

          SHA256

          ca9467210cd4ce2235001484ec03481ec3255463f8bd305836c92a4c2dc04786

          SHA512

          73e3d2da3259dc86d329562478f9b530755f59b1d113c931de5e5def1f9b4a921ecfe38d32953a646c01267250e5363005459e3287ee09dec4f0c251614a6097

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\ebrswlgx\ebrswlgx.dll
          MD5

          0fb35d6313ba654694529c896c273eff

          SHA1

          056f7a46ad85b6d3fe7049a5bb250eae43a8d762

          SHA256

          2ab93a37df00eff4188ee39d4476905503ccc517fa8d31638899a38ac4e63c4a

          SHA512

          7cc46eabf011f979b656f00cb0d8302fcf60a18d9fbd198ac11e865306464ac977210faa365f411408d15d30aa86cb3f838e35e00760c6d5ba57bae839d31baf

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\3212vfoz\3212vfoz.0.cs
          MD5

          a5043957e07dbe0dee7bb8aad13a403e

          SHA1

          571c9136e0e90d016dd83b24c40eadbf7186c701

          SHA256

          73775570d08cc971668d853274b7c9a0cfb407cf76480747b9e38542e5dc53c9

          SHA512

          14f98e4902059980ed8f46c72fdefeb404f14df0fa06628476d63f9bb9ed76fd6398abd4de8c1de7dfa2a8b2108c31e2b9b668acfc92958c1eecc4a0c8d656a1

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\3212vfoz\3212vfoz.cmdline
          MD5

          acee26f672b9ac15e802ef6744a02cf7

          SHA1

          86d76df11b0a60fd236ea63a6981662bee75cd0c

          SHA256

          e2c10e9e59b1bedef9c69ac47b5a976eb19c6245bd61a1bd732b6be67b7ad3eb

          SHA512

          9f720a68b280e0740a9060b2444e49e526601a178ab0f680c12b5e432b91f8056dd69da301586b5b3e1d4158d0ab4df45398f34066602a4bcc62b574483ca6af

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\3212vfoz\CSCE3CEBCDC79B740E599C16C465A374F59.TMP
          MD5

          382e0ce946437bcb556c261a7e665010

          SHA1

          2414e25a07a362eaf599b51281c837aea38fe7d5

          SHA256

          28fb7bd70063993550e211d4b079093496513a99e3643aaeb9c87d64388b75d8

          SHA512

          9fff94acdec6c0038a23ad0091d787df75959e43161b1da1efb0082311910c211c931300e8cfa3175342f931348e4173847cabdcb85baf0bbc2f719138cbb946

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\ebrswlgx\CSCDB1E33216B9B466BA644D185ECBDED3.TMP
          MD5

          95be6ec57ef8a495e2bc1207c11f1d4b

          SHA1

          b234ab776b5450402bfb983b265d238759f8e41a

          SHA256

          69393c3874f3e10bb8ca75a25beb49214d22d3dea4e4abc3e0d8fc6414216903

          SHA512

          98f0237e80bd956225e486b85a368ba4aeef7a086bc1b489dede6d439cb610965626ec74a3a8b37a15a9da82c952473e4365baf436875aa905490146df60ab54

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\ebrswlgx\ebrswlgx.0.cs
          MD5

          aee5ecef6b6a9b4372991443276b71ce

          SHA1

          911bd26fba4c5e51423f2c6339cc267f8697f339

          SHA256

          90e03a7c9cb196fd260c54663a4c867f33621ac29746cd8c0a4b2aa9b390754a

          SHA512

          cf99d4941aa5d1a4dd3abd5ca7a4d3d19a7f497c3247fd09505e263a9a4646b81eb19d7a9312b17a00d22ca9881b6d725b76013b7dc470dcc964b77970c96cc3

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\ebrswlgx\ebrswlgx.cmdline
          MD5

          d011a4bf36d8a0224addc1d1f9d61165

          SHA1

          9cb19a06031a35aaa63957398d4f8bd30735e8d0

          SHA256

          31b2823d32efb7e439720f4cbe9af7a5fc5c01792ea8264fafdb1db99312d3ea

          SHA512

          ddae9ac90b35a8bdd41f0ffa47627b952e37cb766177d32f6f3f42ad94babd5a65aa7b0b4603a0e896463ed47d8f30bb98dd3bdec0133e5f4855cf4112f31a80

          Download Submit
        • memory/368-2-0x000007FEF7B20000-0x000007FEF7D9A000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/760-4-0x0000000000000000-mapping.dmp
          Download
        • memory/1144-3-0x0000000000000000-mapping.dmp
          Download
        • memory/1300-1-0x0000000000190000-0x00000000001A2000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1300-0-0x0000000000000000-mapping.dmp
          Download
        • memory/1364-10-0x0000000000000000-mapping.dmp
          Download
        • memory/1364-11-0x0000000000000000-mapping.dmp
          Download
        • memory/1592-20-0x000000001C1B0000-0x000000001C1B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1592-18-0x0000000001F20000-0x0000000001F21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1592-37-0x000000001B710000-0x000000001B728000-memory.dmp
          Filesize

          96KB

          Download
        • memory/1592-13-0x0000000000000000-mapping.dmp
          Download
        • memory/1592-14-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/1592-19-0x000000001B680000-0x000000001B681000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1592-28-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1592-36-0x0000000002410000-0x0000000002411000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1592-15-0x0000000002520000-0x0000000002521000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1592-16-0x000000001AB90000-0x000000001AB91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1592-17-0x00000000025E0000-0x00000000025E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1700-32-0x0000000000000000-mapping.dmp
          Download
        • memory/1752-21-0x0000000000000000-mapping.dmp
          Download
        • memory/1916-29-0x0000000000000000-mapping.dmp
          Download
        • memory/1988-12-0x0000000000000000-mapping.dmp
          Download
        • memory/2004-38-0x0000000000000000-mapping.dmp
          Download
        • memory/2028-24-0x0000000000000000-mapping.dmp
          Download