Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d0a308811bd0cf98b7f3c13328f34e192ae9f07c

  • Sample

    191018-dhmnstln9e

  • SHA256

    749d9f1bd425a9b49b9ad6e4bcdcb1954de0ad97d6b1506f1fd41ca62ff196c6

Score
N/A

Malware Config

Extracted

Family

ursnif

Botnet

500

C2

http://myhomesitter.fun

Attributes
  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    1.320669898e+09

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    107.174.86.134

    107.175.127.22

rsa_pubkey.base64
serpent.plain

Signatures

  • Suspicious use of FindShellTrayWindow 5 IoCs
  • ursnif family
    family
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0a308811bd0cf98b7f3c13328f34e192ae9f07c.exe
    "C:\Users\Admin\AppData\Local\Temp\d0a308811bd0cf98b7f3c13328f34e192ae9f07c.exe"
    1⤵
      PID:1116
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      PID:828
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1512
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      PID:1324
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1320
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      PID:1608
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:608
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      PID:1184
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1344
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      PID:1788
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\16m9s56\imagestore.dat
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\16m9s56\imagestore.dat
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\16m9s56\imagestore.dat
      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\16m9s56\imagestore.dat
      Download Submit

    • memory/1116-0-0x000000000051A000-0x000000000051B000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1116-1-0x0000000000600000-0x0000000000611000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1116-2-0x0000000000230000-0x000000000023F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1512-3-0x00000000060F0000-0x0000000006113000-memory.dmp

      Filesize

      140KB

      Download