Analysis
-
max time kernel
18s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-12-2020 18:33
Static task
static1
General
-
Target
YyIUwQv.dll
-
Size
565KB
-
MD5
7099df90d162654fa9e3effa97279f51
-
SHA1
605233409966904822a2e356d662ef837f778396
-
SHA256
c513c300dd29b821c87623a3718a5d29186fb9bdabb61e42abe5c42cb944bb5f
-
SHA512
0623038f073dcb8930228f6866a073e9b6bbfaa79fc0f4ee652cb2b2fc2cb65f91028c33d38597504ad62adca00d477804a908034e82796fdf8e32cb378b8b53
Malware Config
Extracted
Family
ursnif
Attributes
- dga_base_url
-
dga_crc
0
-
dga_season
0
- dga_tlds
- dns_servers
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2388 3692 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2388 WerFault.exe Token: SeBackupPrivilege 2388 WerFault.exe Token: SeDebugPrivilege 2388 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4040 wrote to memory of 3692 4040 rundll32.exe 68 PID 4040 wrote to memory of 3692 4040 rundll32.exe 68 PID 4040 wrote to memory of 3692 4040 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YyIUwQv.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YyIUwQv.dll,#12⤵PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 6083⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-