Analysis
-
max time kernel
901s -
max time network
903s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BScope.TrojanSpy.Ursnif.dll
Resource
win7-20231215-en
General
-
Target
SecuriteInfo.com.BScope.TrojanSpy.Ursnif.dll
-
Size
426KB
-
MD5
95d3b622d696c1a31dbef624a2e47163
-
SHA1
8a1c5a4f794af421e7b54471ed7f4a62212721a0
-
SHA256
f84e08a4d83f63cb37f7117f401c242ecbd3ebbd6b7a12fb99332bcf5950f803
-
SHA512
c3ac8a246e7d769faa21f330c5c0a0fef4c4e33a6875478e43ee891f367e90fee3ea657b08ba338f6263e38b17efe69b7c5c1c86167afc871b9a20f251fd67d1
-
SSDEEP
6144:gJf9uWKIWhnuEbXDcQ/MUF0140znw+i/ZEOEHDLDXRYWQ:g6Jhu0IQ/MUwcDENTQ
Malware Config
Extracted
zloader
june26
june
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
10
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2524 set thread context of 2948 2524 regsvr32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2948 msiexec.exe Token: SeSecurityPrivilege 2948 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1188 wrote to memory of 2524 1188 regsvr32.exe 28 PID 1188 wrote to memory of 2524 1188 regsvr32.exe 28 PID 1188 wrote to memory of 2524 1188 regsvr32.exe 28 PID 1188 wrote to memory of 2524 1188 regsvr32.exe 28 PID 1188 wrote to memory of 2524 1188 regsvr32.exe 28 PID 1188 wrote to memory of 2524 1188 regsvr32.exe 28 PID 1188 wrote to memory of 2524 1188 regsvr32.exe 28 PID 2524 wrote to memory of 2948 2524 regsvr32.exe 31 PID 2524 wrote to memory of 2948 2524 regsvr32.exe 31 PID 2524 wrote to memory of 2948 2524 regsvr32.exe 31 PID 2524 wrote to memory of 2948 2524 regsvr32.exe 31 PID 2524 wrote to memory of 2948 2524 regsvr32.exe 31 PID 2524 wrote to memory of 2948 2524 regsvr32.exe 31 PID 2524 wrote to memory of 2948 2524 regsvr32.exe 31 PID 2524 wrote to memory of 2948 2524 regsvr32.exe 31 PID 2524 wrote to memory of 2948 2524 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.TrojanSpy.Ursnif.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.TrojanSpy.Ursnif.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-