Overview

overview

10

Static

static

5bd267095b...80.exe

windows7_x64

10

5bd267095b...80.exe

windows10_x64

1

Analysis

  • max time kernel
    142s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-12-2020 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80.exe

  • Size

    150KB

  • MD5

    a8864ed2fc43a52cb42127c37720c88e

  • SHA1

    96a8f93afd9c2835ee1d22ab58cdd0399bfdfc21

  • SHA256

    5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80

  • SHA512

    5502b38b0ca9921c9cf9c3667cef846f1f495302c89290ba7351c169cb50ad9153a7d097af9cc882a6d7353e7b118647a59a07aaa293c25dd243132f82e43deb

Score
10/10
ursnif_rm3bankertrojan

Malware Config

Signatures

  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Modifies Internet Explorer settings 1 TTPs 174 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80.exe
    "C:\Users\Admin\AppData\Local\Temp\5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80.exe"
    1⤵
      PID:1668
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:316 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:528
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1468
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:676
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:272
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1992
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1152
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1924

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
      MD5

      a3937e7c96f6a6758d9d47b31ec2f631

      SHA1

      a6ddca987506ade6cff0c3fb14358c3f2e663de2

      SHA256

      39a093299e6413d6bb7f6daa0f69e95231e9feadab80737db6647ea98ab5d893

      SHA512

      56ab7a51045d426425df6858d2aaca07a9432f97bfe330e7fc7f39ebfffccf1daa62a1b012a6b5ef45271c5005a8768e3ce3c62df834670cd36159872112e208

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F250CE97E66B5257D9A750299D6D415B
      MD5

      1fa123da6f120237138d244b47597234

      SHA1

      4d06eb0ed4e8c43d2ad78436dcd810fc60570a74

      SHA256

      7fea4a58a5353608e13e713978bfa1d373694838c0c2bb2645293de006b13fd3

      SHA512

      7c75f66cee5901d34ce4f5fd21dc99b90c6d3ae6e289883ae961728f8d57b12ca360ac72576fd8b9778a15e456e592039eb614cb6294e88ef6d0f94432014e45

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      684d683309d47906192499ead39e23c7

      SHA1

      fbc564ebf348b95900ec25302761e625aca3eca0

      SHA256

      425da1bfa43099662df3e5bdec9fbec2166ebb468fadbb5a8c9701baae4159db

      SHA512

      593df96ec8486257aaf9bca9470c84a439f5b7dff530c2b62c9d524b753872b1fd62f82d584b2a58484463048b673e42ebf9956e2b391c7491e6599bb99ad164

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
      MD5

      787ffe98a1e3668a73f05d307f537c85

      SHA1

      75074f544090a81d0b9d3d413aa81f1381d7ec2e

      SHA256

      9218ea6a474df15d8ce3d6429b8ed55561a5a08bd32b01f6b7f1015007fdea3e

      SHA512

      1604d67ca82acdfb530e57f71fd9832a52d08a1475f8a47463bcff515fccac597129f1d800c28f746e1698ecbf21fb784fdf316d820db119eefe43b2d7d8ec02

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      504a9404e57bfb8d48652119b851b988

      SHA1

      50d96ea582d7f7ffc6f10c73e94bb0e4c3a276a7

      SHA256

      c98cc3f85fd04a8197530500939c33937bfffc7dc765f2eace04ab8bd2a7ec34

      SHA512

      c8eeea15eb13442354bb05c6d16da6bbec0c716cf1454a07eab011dd8e377f417730b987ccc9853c2115b7bdf072269f02e59cbecf756a3ba923e4877efdfd61

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F250CE97E66B5257D9A750299D6D415B
      MD5

      1e475d515b2622b570cbe6c08fde4fc1

      SHA1

      a3e0738ed7f9b86e69fa08bb6e857dbbad7c4179

      SHA256

      51ad4c427d98e23c18c6f79098e12b1411fe3dec82a560775f545cff003232ca

      SHA512

      47b866df6acca2db91810cd2dc5716188d56cdd1c234f86e53a809184cb2e101e66df55778cc33a294fae8e0eb0d4134098f302d1816b7bd618b4795549ff236

      Download Submit
    • memory/272-18-0x0000000000000000-mapping.dmp
      Download
    • memory/528-5-0x0000000007400000-0x0000000007423000-memory.dmp
      Filesize

      140KB

      Download
    • memory/528-6-0x00000000054C0000-0x00000000054C3000-memory.dmp
      Filesize

      12KB

      Download
    • memory/528-4-0x0000000000000000-mapping.dmp
      Download
    • memory/676-14-0x0000000000000000-mapping.dmp
      Download
    • memory/1096-3-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1152-22-0x0000000000000000-mapping.dmp
      Download
    • memory/1468-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1668-2-0x0000000000260000-0x0000000000272000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1924-24-0x0000000000000000-mapping.dmp
      Download
    • memory/1992-20-0x0000000000000000-mapping.dmp
      Download