Overview

overview

10

Static

static

9e0cfd0099...f0.dll

windows7_x64

10

9e0cfd0099...f0.dll

windows10_x64

8

Resubmissions

11-01-2021 03:44

210111-v8hz9lm7zs 10

29-11-2020 15:49

201129-sp88h75zyn 10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    29-11-2020 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0.dll

  • Size

    132KB

  • MD5

    b0f3a46adf98efb3a9ac7cead9b4fc5a

  • SHA1

    01b0ece80907f2d9e500ada1cd2d555b782dd3a2

  • SHA256

    9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0

  • SHA512

    22076388da1305e1a9b7ad3257fde95b81118983c95b0025b3a4c848b6703257dbaeaad3da10dab7e66c18fdb7bc015dbf08f20ad0f37543f40e5b448779b6be

Score
10/10
ursnif_rm3bankertrojan

Malware Config

Signatures

  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Blacklisted process makes network request 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 196 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0.dll,#1
      2⤵
      • Blacklisted process makes network request
      PID:1532
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1156
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1624
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:464
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1696
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1676
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1636
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:268
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1772
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:876 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B89CABBDDFF8EE7E973D0A6932822EA5
    MD5

    f7959966ec2faa5464073bbf5d5226fd

    SHA1

    003e15cc9cac1fef5e82012d5bc72ce6c882b906

    SHA256

    fb2e1e1e39d9ad9ba772401a4bb3b17e8ee5f6fb1f2d5c3fef9ded5150a49e1b

    SHA512

    74187d302978de0de05bcc01f6dbdf3244958a67264e025a221c42bda99bd7d65ed7d0b10403592ab17635f6982c38e9c4cdcb050a18d2c62db2ed073349d8b5

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
    MD5

    d9a7c71f2455317845563b02c39b84c8

    SHA1

    ecbf1e7829878111d90e776b0deb79d33efa73b4

    SHA256

    c5b24a2e28e55081e315826ed0127557077434f24d5c3eff803c45aa4ef1b827

    SHA512

    675951ad8b62009fedd018df1c1dc00ba124d6d0564df7637955c5dc035d0f3d63367b5b2874315b549d206d0870ae6bbcf5e4faed8f6ba125123bd9326912f5

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    c3869270b9cb09899f20f7888b836305

    SHA1

    da8d001c71be7e33a8253bd3d2843be8a1e48919

    SHA256

    dc717d6222662a4e7812dd3e25703f27978c52bcd0a4cdb62f0adcd501bf50ab

    SHA512

    8af831ef65d651782e6846907b73decd0c06f7fd652d3e3b39140be913595a8f662c3cd78f18c3a6cfff4e83eae0a55d558bddedc741305d8f22a624de16713c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B89CABBDDFF8EE7E973D0A6932822EA5
    MD5

    84b1735d8453a095504148b70cbc535b

    SHA1

    143866b98c04b0a945d17bee155342ae2060b9df

    SHA256

    4417c840d7a708da976c66b8de6aead3d698d9c387fa0c4618a0714d2b58e68d

    SHA512

    962f1e1de5f8674e2f203ebac7b8fd141395b3c16d5671834489851d567bad44b4278512d6f72e0ade997f7a978043899a86788b3c46d6f5648e0358759fdcf8

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
    MD5

    c4b13ebf4c3e3cc53cba019c19c311d2

    SHA1

    965a34a9192322569d19e57c499818aac5749685

    SHA256

    7137e94939af29dd5e6c46a88fe86d219761ece30abb0276135a6ff2d5c4caaa

    SHA512

    e8468632196a9ff7242e7147af59587af14056ba4c1f3d452c1c1a55bbcf216b9f2aa1bdea75e630262d302faa4808eb1effd818633c0f7f7f0e294f4e2b4ad4

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    0ecf47e78e5ecb4f4064d1d1cae1cf6e

    SHA1

    a0860bcc5d16b9f8bb62ec22815b895f805a4ad3

    SHA256

    bccb72b0667be32bfbbcff5b7ad9f194994f0b99af1d50dd2e29d29c73fe848b

    SHA512

    ce98ab9528ceea1df75c8e54e169db6843a6951572d52ce20c730e79e0d2d994f3a2d9ac83d4241a75291e564b5ce26ceac6bb4491661d78bb3f461b1afa1ac4

    Download Submit
  • memory/464-15-0x0000000000000000-mapping.dmp
    Download
  • memory/512-4-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1156-6-0x0000000006670000-0x0000000006693000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1156-7-0x0000000004B30000-0x0000000004B33000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1156-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1356-27-0x0000000000000000-mapping.dmp
    Download
  • memory/1532-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1532-3-0x0000000000180000-0x0000000000192000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1624-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1636-23-0x0000000000000000-mapping.dmp
    Download
  • memory/1676-21-0x0000000000000000-mapping.dmp
    Download
  • memory/1696-19-0x0000000000000000-mapping.dmp
    Download
  • memory/1772-25-0x0000000000000000-mapping.dmp
    Download