Overview

overview

10

Static

static

ox9.dll

windows7_x64

10

ox9.dll

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    23-12-2020 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ox9.dll

  • Size

    233KB

  • MD5

    68cf96f4bc91628e22e1526d9728990b

  • SHA1

    a1e1063ec8c3667e86e1afab81cb6bbea84485b3

  • SHA256

    790191b70550856b3e8ec108fdb82cd8d852822d6716ec865f21cfb5ad160b7c

  • SHA512

    ca6bb734df8bf35a2f3346ff5ad954ecc058a719b0eabf90d8c323b80ed6b8659cef5b5f51f65b149c48435bc396920549a72471b0cde1d70a02bf59dbf37b24

Score
10/10
ursnif_rm3bankertrojan

Malware Config

Signatures

  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Blocklisted process makes network request 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 196 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ox9.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ox9.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:2012
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:552 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1528
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1772
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1120
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:472
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:472 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:948
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1620
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:992
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:396
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:912 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
    MD5

    953f2125a88eced630fa3f95e287b02f

    SHA1

    441e0e319ee73efd0621095d74e75b6a16239c48

    SHA256

    251e9ca5f4e6580fe9014e843ac3e054aa45d6a8e7cef4f5c7512fc31fc354fa

    SHA512

    b685e7d725dc2bf210c906b744445f1ad59a54a4ee251825f39b12522d98f02be49f4bce3fa1832bb7e08f8e118bfc1ed7c1bd76cb054b24223eb863103c0050

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
    MD5

    42f2366bae7eb3b52decde13e7fe7b44

    SHA1

    e3d6f7a3a20ea61a3eb4c0a238ae2e9289e0bf15

    SHA256

    be06ed60e4e3d72320915491d2e5d03d3a0ac53af2d6640e02cdfb6e2ea9fdab

    SHA512

    a3a6eb544a17aec6e63d7a7fa910662fc95d117353024aacdd5945e5bd9f2f5370daff6e148b09eaa0abfda416da7f021c98f97f5435733bd06d9996e98cc653

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    cf9ddf349d1d01ae1d8e1ce447efb3fe

    SHA1

    cc3b62540dc2db3ee1c368b3f483012119680681

    SHA256

    c4ac60a3407c1227fd51b311f1787c34606caad6986ca2fc1a43cd261532fc2a

    SHA512

    063a967bc4235f06b6237261d3d8bb9a3711cf30c7adf93ab9389add9a3713dcc8676c8e06f9ce18903622361f92a631f856e829662e05cf21264d325bd8e3cc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    7530ba421e3f41f851c48d06d985d18b

    SHA1

    4e27e0c6f2e75e3d18239206c6f236ac83e63ed8

    SHA256

    d9976d418bf04a8cb2f3f21199a71985a028c10c79f3d77078aadfa3ed79df3c

    SHA512

    7b83733e7c52f785b52243fc9869ed2b0b32e12393c0a10bd64187f5750400c77cbc4a341d909759d9c3ba905e53e5b7c831c01e452e9b381f80ecd8c8982217

    Download Submit
  • memory/396-16-0x0000000000000000-mapping.dmp
    Download
  • memory/948-13-0x0000000000000000-mapping.dmp
    Download
  • memory/968-4-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/992-15-0x0000000000000000-mapping.dmp
    Download
  • memory/1120-10-0x0000000000000000-mapping.dmp
    Download
  • memory/1528-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1620-14-0x0000000000000000-mapping.dmp
    Download
  • memory/1772-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1996-17-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-2-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-3-0x0000000000190000-0x00000000001A2000-memory.dmp
    Filesize

    72KB

    Download