Overview

overview

10

Static

static

URLScan

urlscan

https://www.poly.com...

windows7_x64

10

Resubmissions

17/01/2021, 18:41

210117-6tswpdfc2n 6

15/01/2021, 00:12

210115-sn86b9adwn 10

15/01/2021, 00:10

210115-4ez2jwsxxe 1

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15/01/2021, 00:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.poly.com/in/en/support/downloads-apps

  • Sample

    210115-sn86b9adwn

Score
10/10
ursnif_rm3bankerdiscoveryevasionmacropersistencetrojanxlm

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs
    persistence
  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Executes dropped EXE 8 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • Loads dropped DLL 115 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 20 IoCs
  • Drops file in System32 directory 35 IoCs
  • Drops file in Program Files directory 126 IoCs
  • Drops file in Windows directory 63 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 84 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 143 IoCs
  • Modifies registry class 1156 IoCs
  • Suspicious behavior: EnumeratesProcesses 172 IoCs
  • Suspicious use of AdjustPrivilegeToken 316 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 78 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.poly.com/in/en/support/downloads-apps
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1896
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:2307080 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1468
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5T8OP4KT\PlantronicsHubInstaller.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5T8OP4KT\PlantronicsHubInstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Users\Admin\AppData\Local\Temp\{1318D589-C426-49DA-8A3B-7C5EC011BA50}\.cr\PlantronicsHubInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\{1318D589-C426-49DA-8A3B-7C5EC011BA50}\.cr\PlantronicsHubInstaller.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5T8OP4KT\PlantronicsHubInstaller.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Users\Admin\AppData\Local\Temp\{A1962986-104F-4029-922C-E7A8DF8A96D4}\.be\PlantronicsHubBootstrapper.exe
          "C:\Users\Admin\AppData\Local\Temp\{A1962986-104F-4029-922C-E7A8DF8A96D4}\.be\PlantronicsHubBootstrapper.exe" -q -burn.elevated BurnPipe.{385B6554-1493-4DF8-9458-849DA2B2DBEF} {9E3B9C6E-AA39-430D-AD10-964FDA7895CC} 2116
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\ProgramData\Package Cache\568C7E338D8BD9134D64C59ACA8B96AF303B141B\OldMHUUninstaller.exe
            "C:\ProgramData\Package Cache\568C7E338D8BD9134D64C59ACA8B96AF303B141B\OldMHUUninstaller.exe" /install /quiet
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2272
            • C:\Users\Admin\AppData\Local\Temp\{7FF659C4-F6C1-4110-9C8F-D381924B8B37}\.cr\OldMHUUninstaller.exe
              "C:\Users\Admin\AppData\Local\Temp\{7FF659C4-F6C1-4110-9C8F-D381924B8B37}\.cr\OldMHUUninstaller.exe" -burn.clean.room="C:\ProgramData\Package Cache\568C7E338D8BD9134D64C59ACA8B96AF303B141B\OldMHUUninstaller.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2296
              • C:\Users\Admin\AppData\Local\Temp\{A266F7F2-FE16-4EE3-9BBF-2B3776F56F24}\.be\OldMHUUninstaller.exe
                "C:\Users\Admin\AppData\Local\Temp\{A266F7F2-FE16-4EE3-9BBF-2B3776F56F24}\.be\OldMHUUninstaller.exe" -q -burn.elevated BurnPipe.{79A85C02-D8E9-4432-B899-69C81E84CFF3} {DA2AB08F-45DA-48DE-84CB-FA4623EFFB99} 2296
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                PID:2368
        • C:\Program Files (x86)\Plantronics\Spokes3G\PLTHub.exe
          "C:\Program Files (x86)\Plantronics\Spokes3G\PLTHub.exe" -setfocus
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2288
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2460
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "000000000000056C" "00000000000003E8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2628
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADE95329E1A3D9FC7686DE99B64C3C24
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2952
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding CC39DC86C01BC443C9F118DC3387FC85
      2⤵
      • Loads dropped DLL
      PID:3028
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 858D674D8C2203A00F8FF317D490C0AA M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      PID:1072
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding C7FC00274657748FC2DF2CB2CFA2A8CF M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1556
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3430c2a7-8edc-0748-4a42-2d09bc82e655}\PLTCSRBCxUSB.inf" "9" "6ba8011f3" "0000000000000550" "WinSta0\Default" "00000000000003B0" "208" "C:\Program Files\Common Files\Plantronics\CSR"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:1228
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{00d9866a-4925-4d7f-649b-291bf4a9df17}\calisto.inf" "9" "6c8c6ef9b" "00000000000003B0" "WinSta0\Default" "00000000000003E8" "208" "C:\Program Files\Common Files\Plantronics\Calisto"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:2128
  • C:\Program Files (x86)\Plantronics\Spokes3G\SpokesUpdateService.exe
    "C:\Program Files (x86)\Plantronics\Spokes3G\SpokesUpdateService.exe" install
    1⤵
    • Executes dropped EXE
    PID:844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1072-83-0x0000000002940000-0x0000000002951000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1072-305-0x0000000002610000-0x0000000002614000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1072-304-0x0000000002610000-0x0000000002614000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1072-84-0x0000000002530000-0x0000000002541000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1072-82-0x0000000002530000-0x0000000002541000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1448-2-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2296-43-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

    Filesize

    4KB

    Download