ursnif_rm3 | 9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0

General

Target

9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0.dll
Size

132KB
MD5

b0f3a46adf98efb3a9ac7cead9b4fc5a
SHA1

01b0ece80907f2d9e500ada1cd2d555b782dd3a2
SHA256

9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0
SHA512

22076388da1305e1a9b7ad3257fde95b81118983c95b0025b3a4c848b6703257dbaeaad3da10dab7e66c18fdb7bc015dbf08f20ad0f37543f40e5b448779b6be

Score

10^/10

ursnif_rm3 banker trojan

Malware Config

Signatures

Ursnif RM3
A heavily modified version of Ursnif discovered in the wild.
banker trojan ursnif_rm3
Blacklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

17 1532 rundll32.exe

flow	pid	process
17	1532	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 196 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA4DFAA1-325A-11EB-A309-520DDC0DB10A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000b137d9227de917c86fdfa138637096dda4b07f083a4cffd16bd1d58ea00d3860000000000e8000000002000020000000c5d476203491cf0b7e9b4a7a1f391d0a085261349e0fc4dd8426f7f511693139200000000f1743928a0cb0e087e1a82deda7ff3d65ffa33de20a46aebdba605381d0cdfb40000000b18fb4e8648cfcbe0c555c15c34c94fa40251c21bba1225c8dafd57bffc355cc579c870050e8821ea70252ae7d6f62ffa02fe82d0a1007c7452f46f4c03b43c8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{163D3B81-325B-11EB-A309-520DDC0DB10A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3760E001-325B-11EB-A309-520DDC0DB10A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3FC196E1-325B-11EB-A309-520DDC0DB10A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2EFDC7C1-325B-11EB-A309-520DDC0DB10A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

644 iexplore.exe
1928 iexplore.exe
1056 iexplore.exe
1720 iexplore.exe
644 iexplore.exe
2000 iexplore.exe
268 iexplore.exe
876 iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
644	iexplore.exe
644	iexplore.exe
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
1928	iexplore.exe
1928	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1056	iexplore.exe
1056	iexplore.exe
464	IEXPLORE.EXE
464	IEXPLORE.EXE
1720	iexplore.exe
1720	iexplore.exe
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
644	iexplore.exe
644	iexplore.exe
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE
2000	iexplore.exe
2000	iexplore.exe
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
268	iexplore.exe
268	iexplore.exe
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE
876	iexplore.exe
876	iexplore.exe
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

rundll32.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 784 wrote to memory of 1532	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 1532	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 1532	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 1532	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 1532	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 1532	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 1532	784	rundll32.exe	rundll32.exe
PID 644 wrote to memory of 1156	644	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 1156	644	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 1156	644	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 1156	644	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 1624	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 1624	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 1624	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 1624	1928	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 464	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 464	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 464	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 464	1056	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1696	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1696	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1696	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1696	1720	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 1676	644	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 1676	644	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 1676	644	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 1676	644	iexplore.exe	IEXPLORE.EXE
PID 2000 wrote to memory of 1636	2000	iexplore.exe	IEXPLORE.EXE
PID 2000 wrote to memory of 1636	2000	iexplore.exe	IEXPLORE.EXE
PID 2000 wrote to memory of 1636	2000	iexplore.exe	IEXPLORE.EXE
PID 2000 wrote to memory of 1636	2000	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1772	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1772	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1772	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1772	268	iexplore.exe	IEXPLORE.EXE
PID 876 wrote to memory of 1356	876	iexplore.exe	IEXPLORE.EXE
PID 876 wrote to memory of 1356	876	iexplore.exe	IEXPLORE.EXE
PID 876 wrote to memory of 1356	876	iexplore.exe	IEXPLORE.EXE
PID 876 wrote to memory of 1356	876	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0.dll,#1
2⤵
- Blacklisted process makes network request
PID:1532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:876 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B89CABBDDFF8EE7E973D0A6932822EA5

MD5
f7959966ec2faa5464073bbf5d5226fd

SHA1
003e15cc9cac1fef5e82012d5bc72ce6c882b906

SHA256
fb2e1e1e39d9ad9ba772401a4bb3b17e8ee5f6fb1f2d5c3fef9ded5150a49e1b

SHA512
74187d302978de0de05bcc01f6dbdf3244958a67264e025a221c42bda99bd7d65ed7d0b10403592ab17635f6982c38e9c4cdcb050a18d2c62db2ed073349d8b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

MD5
d9a7c71f2455317845563b02c39b84c8

SHA1
ecbf1e7829878111d90e776b0deb79d33efa73b4

SHA256
c5b24a2e28e55081e315826ed0127557077434f24d5c3eff803c45aa4ef1b827

SHA512
675951ad8b62009fedd018df1c1dc00ba124d6d0564df7637955c5dc035d0f3d63367b5b2874315b549d206d0870ae6bbcf5e4faed8f6ba125123bd9326912f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
c3869270b9cb09899f20f7888b836305

SHA1
da8d001c71be7e33a8253bd3d2843be8a1e48919

SHA256
dc717d6222662a4e7812dd3e25703f27978c52bcd0a4cdb62f0adcd501bf50ab

SHA512
8af831ef65d651782e6846907b73decd0c06f7fd652d3e3b39140be913595a8f662c3cd78f18c3a6cfff4e83eae0a55d558bddedc741305d8f22a624de16713c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B89CABBDDFF8EE7E973D0A6932822EA5

MD5
84b1735d8453a095504148b70cbc535b

SHA1
143866b98c04b0a945d17bee155342ae2060b9df

SHA256
4417c840d7a708da976c66b8de6aead3d698d9c387fa0c4618a0714d2b58e68d

SHA512
962f1e1de5f8674e2f203ebac7b8fd141395b3c16d5671834489851d567bad44b4278512d6f72e0ade997f7a978043899a86788b3c46d6f5648e0358759fdcf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

MD5
c4b13ebf4c3e3cc53cba019c19c311d2

SHA1
965a34a9192322569d19e57c499818aac5749685

SHA256
7137e94939af29dd5e6c46a88fe86d219761ece30abb0276135a6ff2d5c4caaa

SHA512
e8468632196a9ff7242e7147af59587af14056ba4c1f3d452c1c1a55bbcf216b9f2aa1bdea75e630262d302faa4808eb1effd818633c0f7f7f0e294f4e2b4ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5
0ecf47e78e5ecb4f4064d1d1cae1cf6e

SHA1
a0860bcc5d16b9f8bb62ec22815b895f805a4ad3

SHA256
bccb72b0667be32bfbbcff5b7ad9f194994f0b99af1d50dd2e29d29c73fe848b

SHA512
ce98ab9528ceea1df75c8e54e169db6843a6951572d52ce20c730e79e0d2d994f3a2d9ac83d4241a75291e564b5ce26ceac6bb4491661d78bb3f461b1afa1ac4

Download Submit
memory/464-15-0x0000000000000000-mapping.dmp

Download
memory/512-4-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmp

Filesize
2.5MB

Download
memory/1156-6-0x0000000006670000-0x0000000006693000-memory.dmp

Filesize
140KB

Download
memory/1156-7-0x0000000004B30000-0x0000000004B33000-memory.dmp

Filesize
12KB

Download
memory/1156-5-0x0000000000000000-mapping.dmp

Download
memory/1356-27-0x0000000000000000-mapping.dmp

Download
memory/1532-2-0x0000000000000000-mapping.dmp

Download
memory/1532-3-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1624-8-0x0000000000000000-mapping.dmp

Download
memory/1636-23-0x0000000000000000-mapping.dmp

Download
memory/1676-21-0x0000000000000000-mapping.dmp

Download
memory/1696-19-0x0000000000000000-mapping.dmp

Download
memory/1772-25-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads