ursnif_rm3 | be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2

Resubmissions

18-03-2021 22:02

210318-wg14eesjje 10

13-11-2020 10:22

201113-ycmfkdqrdn 10

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7v20201028
submitted
13-11-2020 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll
Size

136KB
MD5

fe590fd117449bce4bfad57d36bfc099
SHA1

a5c3d7738ebc1f1ce8353e135b8dcea17155077b
SHA256

be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2
SHA512

f8e39f1e83dd666fff67161864c75057a0f6b4ad1692f0013f0aef47d69ed350662f0784555a72fcdb34bb5937371c7d75010639d5ae31c32d7383ee10a6605b

Score

10^/10

ursnif_rm3 banker trojan

Malware Config

Signatures

Ursnif RM3
A heavily modified version of Ursnif discovered in the wild.
banker trojan ursnif_rm3
Blacklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

14 1844 rundll32.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1716 cmd.exe

flow	pid	process
14	1844	rundll32.exe

pid	process
1716	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1088 timeout.exe

pid	process
1088	timeout.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{979A1B31-2599-11EB-963B-EE4CB9E4853B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000007040bf49218016fd094478b21ce8aaf3f97a4a7c767e59863b125d8f1f7e82e9000000000e8000000002000020000000749061e8a9f0b54bcc50ec6c7e11b845b35d34caa0e0306135d161d09889201d2000000068df17d93a3bbc609351349ba54d967e0c3d358179863cd41975fd703bc496c240000000b689073baa60fa39a3de762fe6f7d9b33895f481cebce5db3afecf1e0fdc22aff2d5aba08a52987bdb25e54c66b8574c64acf0f970357e373e032cab60ecc838	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000001d4b759c4956ce482f5fd2231107cd041fccb3fb542a6bfc994a6682e7449ee7000000000e8000000002000020000000ef15e18aeda4dbfaf4656c039fe0be574676d155fa206021bbd6ddf1f7676aaa90000000801dda518c3708b6b6f7d54d6a6d488e74c8693f6c3d87371f86adc848ccaa12e3cf39cb807aaba04402fd4bac29f7a3155e3bc10ecfda4630e98bc46d9c261c56276d042403c36eac58cd32ecfe527ac5f8c0e344eda7637c9c24d2edaa153d46281321846f27eda00395623cf7c0c64fb7fa762f7c6a0e10ea575f72648ddfb44f8ba2b1bf63e3167ee764db013618400000002dd9b9088fe2d04904b1e3b0a612460c8f2b322de82000ad35cc627eed6dd6bc473010ed85b66012e9c0a913630f73100a1d2505a83460124513f16f70343126	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF08A431-2599-11EB-963B-EE4CB9E4853B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01ab96fa6b9d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

292 powershell.exe
292 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

292 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 292 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1744 iexplore.exe
1620 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid process

1744 iexplore.exe
1744 iexplore.exe
684 IEXPLORE.EXE
684 IEXPLORE.EXE
1620 iexplore.exe
1620 iexplore.exe
1144 IEXPLORE.EXE
1144 IEXPLORE.EXE

pid	process
292	powershell.exe
292	powershell.exe

pid	process
292	powershell.exe

description	pid	process
Token: SeDebugPrivilege	292	powershell.exe

pid	process
1744	iexplore.exe
1620	iexplore.exe

pid	process
1744	iexplore.exe
1744	iexplore.exe
684	IEXPLORE.EXE
684	IEXPLORE.EXE
1620	iexplore.exe
1620	iexplore.exe
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

rundll32.exeiexplore.exeiexplore.execmd.exeforfiles.execmd.exepowershell.execsc.execsc.execmd.exe

description	pid	process	target process
PID 344 wrote to memory of 1844	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1844	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1844	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1844	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1844	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1844	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1844	344	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 684	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 684	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 684	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 684	1744	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1144	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1144	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1144	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1144	1620	iexplore.exe	IEXPLORE.EXE
PID 1284 wrote to memory of 1664	1284	cmd.exe	forfiles.exe
PID 1284 wrote to memory of 1664	1284	cmd.exe	forfiles.exe
PID 1284 wrote to memory of 1664	1284	cmd.exe	forfiles.exe
PID 1664 wrote to memory of 1708	1664	forfiles.exe	cmd.exe
PID 1664 wrote to memory of 1708	1664	forfiles.exe	cmd.exe
PID 1664 wrote to memory of 1708	1664	forfiles.exe	cmd.exe
PID 1708 wrote to memory of 292	1708	cmd.exe	powershell.exe
PID 1708 wrote to memory of 292	1708	cmd.exe	powershell.exe
PID 1708 wrote to memory of 292	1708	cmd.exe	powershell.exe
PID 292 wrote to memory of 2028	292	powershell.exe	csc.exe
PID 292 wrote to memory of 2028	292	powershell.exe	csc.exe
PID 292 wrote to memory of 2028	292	powershell.exe	csc.exe
PID 2028 wrote to memory of 1560	2028	csc.exe	cvtres.exe
PID 2028 wrote to memory of 1560	2028	csc.exe	cvtres.exe
PID 2028 wrote to memory of 1560	2028	csc.exe	cvtres.exe
PID 292 wrote to memory of 524	292	powershell.exe	csc.exe
PID 292 wrote to memory of 524	292	powershell.exe	csc.exe
PID 292 wrote to memory of 524	292	powershell.exe	csc.exe
PID 524 wrote to memory of 876	524	csc.exe	cvtres.exe
PID 524 wrote to memory of 876	524	csc.exe	cvtres.exe
PID 524 wrote to memory of 876	524	csc.exe	cvtres.exe
PID 292 wrote to memory of 1260	292	powershell.exe	Explorer.EXE
PID 1716 wrote to memory of 1088	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 1088	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 1088	1716	cmd.exe	timeout.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll,#1
3⤵
- Blacklisted process makes network request
PID:1844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
2⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\forfiles.exe
forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
3⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\cmd.exe
/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0hfeimb\l0hfeimb.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B62.tmp" "c:\Users\Admin\AppData\Local\Temp\l0hfeimb\CSC8B2F71679E124CD68AC59EAAFFFA4D34.TMP"
7⤵
PID:1560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tdp0kyl0\tdp0kyl0.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BFE.tmp" "c:\Users\Admin\AppData\Local\Temp\tdp0kyl0\CSC6AD2A36814F8442EBD9689B9C5A0A187.TMP"
7⤵
PID:876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\Users\Admin\AppData\Local\Temp\be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
a69fba04d9b13e82fb772d1b38b6054a

SHA1
f7ab8c1d32ddc58e13f65f9b8bb0cc844f164454

SHA256
733d04f9d9e1fdf85914f097cca3f8bfb3926c38a7ccf69e7c74d887abbc64ff

SHA512
6fae50c73cc08c48d5ecb6814785f82c46ded1dc00ba9a8b02a9b2bd907a10bba6015e0a5753487a12765db242162ce4f822bf5d3381a71ae2143c9f5d34669a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
d8bd7742a21914384226b6ca20ccc4dc

SHA1
33e4023b22e7c5f145cab4c9b81a4c7c58ba8c08

SHA256
36c6de23f0254688701439327faaa3c624b19e7b588369d484d7bae32662a836

SHA512
c930545ea3f3873c0bba9f67c11a092dcb0a9b5c1dd3952702f3ba929b243a96009746a995faee75fe2a804cd365dd521403177a613d4a616b64e4a6956799fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
b710c2ecbe780585a46c1e8f29ac2601

SHA1
ce0d24a94a05d53c68fdae6b3e6a38ffd2575278

SHA256
014eedb7022b6f587b4034435e575541286b05620126109ab2deeedc2768ae07

SHA512
3b1316d66e8a1838b527c953e4e9dd26ef2b38175651119832c055becbaf3aa62082d66abc333570e3cb763d1a68deb64dfd042470df667bace2b5da1af95e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
MD5
44a218518d1e0ff8514c5eed1633673f

SHA1
e78b37db4e29b4fd7e357004f76deb802f98ca3f

SHA256
2997b49aa9b2289cbc2188414248118f938245149da0f25909cf48882ff4f2ab

SHA512
5aa8e7ee11c05356d6b956a7d6ab1c674910d89be2615b5ce1125d459933c03d7c4e4cebcef27992663b2149c45c9d635fb618dce97179e30ec6aa8a1ec0213e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\favicon[1].ico
MD5
a976d227e5d1dcf62f5f7e623211dd1b

SHA1
a2a9dc1abdd3d888484678663928cb024c359ee6

SHA256
66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271

SHA512
6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B62.tmp
MD5
42d2af156745354fc96dbd38e3663a8c

SHA1
da11a21b615ed226e8612eca0f9db2e191b83379

SHA256
7667265ebe857ca4d0390c7cf3a43b31c1be44d8c55f0d30012a02a2eaca5001

SHA512
a5d0478e9c21f5f31c06ff017a70683976a4f772f4dbfbb5538bd7e7a1fc2a51e741caab83ffb794a304de028caa73437a633143e3c503905aaabae412eb1a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4BFE.tmp
MD5
5b6ca08c3fab8e01a8b42f7e5e18ecf9

SHA1
1b87b45910c915b7509ed84ff8d051d23fccdc4f

SHA256
cfaf60ed37e1e6c2109a1ef00946b0435156c061eb0eb929810922af5cf1c9f8

SHA512
796fa982a4a0469d4d606ae4ae4281bfd4610104238bf29276cd60c29a75a05661e547d2ba6700c611636eed4c0b2403cfb276b145375685f6e6d455f3b1877d

Download Submit
C:\Users\Admin\AppData\Local\Temp\l0hfeimb\l0hfeimb.dll
MD5
2890b8081ef0a9bf7a317f2495d58867

SHA1
f346744109d93c7613ce9ee4cd806e39e16b7cfb

SHA256
839b17d121a7726224603d48ee9975f81fc60731e094551fb08168ee402ad0cf

SHA512
bacc733d6bbadcec9b9666704cdf4badec95079f4f0f58e4abf9f7dee0c0429c4b1862fad366119c5d92542ffe0b71e63e2c0fa842d55925d74168fc9636a469

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdp0kyl0\tdp0kyl0.dll
MD5
115f2f0ab8bc19b6bc11fb54b08a4382

SHA1
452683fcab922f5fda829fb31ffeff427375d2a2

SHA256
a2d670a0886003d4fd19483503cc44828693caf0992cdb1b8c384a68a7cd6dee

SHA512
d294e98cb0920d585876ad44c74912dbf1637dd4dd00e07165fa4fbbc59035ccd7daca5a40947b4065c73caa5ff7ac157b5449ab4f24ca4055b991d17e87833e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0hfeimb\CSC8B2F71679E124CD68AC59EAAFFFA4D34.TMP
MD5
6f82b237cde485f295354b035a36e142

SHA1
393054657c0b569690c29617ec4b4b092ed5be66

SHA256
42459fda366866f9860cf0d295e28ed1b318ad65e6a8d5b2ad09200347679902

SHA512
94faddcdcb655007d78663cb52bea489e849335e8d350181b521bc9f78a973333014a6b769da3c25ea5edfbf70bc38f2219ee8cbd916e81d945bd13053a491d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0hfeimb\l0hfeimb.0.cs
MD5
aee5ecef6b6a9b4372991443276b71ce

SHA1
911bd26fba4c5e51423f2c6339cc267f8697f339

SHA256
90e03a7c9cb196fd260c54663a4c867f33621ac29746cd8c0a4b2aa9b390754a

SHA512
cf99d4941aa5d1a4dd3abd5ca7a4d3d19a7f497c3247fd09505e263a9a4646b81eb19d7a9312b17a00d22ca9881b6d725b76013b7dc470dcc964b77970c96cc3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0hfeimb\l0hfeimb.cmdline
MD5
d2a775ab85ca5881af6ee6239c8e15db

SHA1
e90d3d03121e899855c6160466b370ad4b3a27d8

SHA256
54ad26e8c118eb0ea2f2717a709985352b8388fbbe12ba92774e0d1cc1e44674

SHA512
b02ea243f4beac0c40e766fe576133be81c21a3fb7b056f7875afdf19b095c39f2e117143edfbcadfa036541da56d8e58d884358ae6eee86d6ed25b3e158d8b2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tdp0kyl0\CSC6AD2A36814F8442EBD9689B9C5A0A187.TMP
MD5
a8bcb375a4d773f76af22d086c22bf5c

SHA1
68ac77bb7c4ff5aeed5f7c8c570dfb9d759f8f49

SHA256
1f244f07e5ca1f551f0f40346ea2998475a5a7cc147611e27792583ae4411cff

SHA512
e45b7a2185483ad158f4d004c92dfde1824534b3c459ad64e190ae255176d0b42d9cfbcd2d58f3b340864c9ced02d3f60480764493ce6740b56582f4a1a80183

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tdp0kyl0\tdp0kyl0.0.cs
MD5
a5043957e07dbe0dee7bb8aad13a403e

SHA1
571c9136e0e90d016dd83b24c40eadbf7186c701

SHA256
73775570d08cc971668d853274b7c9a0cfb407cf76480747b9e38542e5dc53c9

SHA512
14f98e4902059980ed8f46c72fdefeb404f14df0fa06628476d63f9bb9ed76fd6398abd4de8c1de7dfa2a8b2108c31e2b9b668acfc92958c1eecc4a0c8d656a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tdp0kyl0\tdp0kyl0.cmdline
MD5
ba84213b0038aba1a10329be5ac9bca4

SHA1
739959d6c510cdabd4940a7f07e112c5042afd24

SHA256
3337296a37b5d2263690dc5ae4f1636fa0a0cc0411fb8118c76072f9f240a8cb

SHA512
bce1a8abff6296d3d98c156cef427884a997ff7c5b25d9655789bba32cf7b6ecb5ee1562c21653ab5f385710f0e7eb6d0c46d660392bdcd310f83c6e1f6eaa82

Download Submit
memory/292-15-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/292-28-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/292-17-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/292-18-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/292-19-0x000000001B4E0000-0x000000001B4E1000-memory.dmp

Filesize
4KB

Download
memory/292-20-0x000000001C460000-0x000000001C461000-memory.dmp

Filesize
4KB

Download
memory/292-16-0x000000001AA80000-0x000000001AA81000-memory.dmp

Filesize
4KB

Download
memory/292-36-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/292-14-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

Filesize
9.9MB

Download
memory/292-38-0x000000001A8F0000-0x000000001A908000-memory.dmp

Filesize
96KB

Download
memory/292-13-0x0000000000000000-mapping.dmp

Download
memory/332-2-0x000007FEF7590000-0x000007FEF780A000-memory.dmp

Filesize
2.5MB

Download
memory/524-29-0x0000000000000000-mapping.dmp

Download
memory/684-3-0x0000000000000000-mapping.dmp

Download
memory/876-32-0x0000000000000000-mapping.dmp

Download
memory/1088-39-0x0000000000000000-mapping.dmp

Download
memory/1144-4-0x0000000000000000-mapping.dmp

Download
memory/1560-24-0x0000000000000000-mapping.dmp

Download
memory/1664-10-0x0000000000000000-mapping.dmp

Download
memory/1664-11-0x0000000000000000-mapping.dmp

Download
memory/1708-12-0x0000000000000000-mapping.dmp

Download
memory/1844-1-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/1844-0-0x0000000000000000-mapping.dmp

Download
memory/2028-21-0x0000000000000000-mapping.dmp

Download