12ea4b688f33a5448c08c52d09b6e993b9ee293d09ba673c567c7a6d1ec7b94c

General

Target

5abdb8b16f503976c3e726521c1f93b927931c00
Sample

191018-xssrgacz7s
SHA256

12ea4b688f33a5448c08c52d09b6e993b9ee293d09ba673c567c7a6d1ec7b94c

Score

N/A

Malware Config

Extracted

Family

ursnif

Botnet

1000

C2

http://alister-mathmatics.club

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
1.320669898e+09
dga_season
10
dga_tlds
com

ru

org
dns_servers
107.174.86.134

107.175.127.22

rsa_pubkey.base64

serpent.plain

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C115E11-F1DD-11E9-B942-7EE986143E30} = "0"	752	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	752	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	752	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee000000000200000000001066000000010000200000004540d1b82186b1797f8ac983d40a0b3092c9656fb1c77d6e0083b1b30db28537000000000e80000000020000200000009289e9f3e0e90427b43d3b1dfce88e1f652219b891539125b4e257ad44c732f720000000d7cdb05c6e02a2a63a58956ccffba1ccfdfcb233a92ad776f121c11c8f0f2a3640000000a7f704a8ade9f927f53f9680723a74bbc431758ee4def557299dd32cd21bd5facc7dc48a05a6be3d179a5addda4aa7fac994d03d835891c70ad0c9cbcfad88ef	752	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f01ee4e3e985d501	752	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee0000000002000000000010660000000100002000000007847e7e6595ceb5765e942e6d7a99d99962074562c9f8c6fa4673cabfc43dcc000000000e8000000002000020000000e0f6292d2d95bb2d6e053a30c048a157b764ab6c34621445d6e3da341bbdd6b090000000d5e748e20b02b3c1ca84835323f7cde16c0db764beeefd7b4f7c6cd19cd173ab6731820265f383f07a2d337108a0ea859ff45e9637e5478bae83745fbe3fb3854c76fe06fe6dcc285089ea67eda45b2edfa15e08191d39f3531dc369999aa27862d349958a6a56c1e09d1b614b68751997c8b67522d2b255508a8576c93db011d33e3c2ca1322f0bd87f0dfe1a03128640000000b7ccda663b1129b3213b48c578cdf90cae7ad324d85688683a55066b26780eb097f03699682c6924364f9d1157430301dfa08a10df1388cbe34250628ea18c3a	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2116	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27D2C671-F1DD-11E9-B942-7EE986143E30} = "0"	2116	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2116	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2116	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2116	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	2116	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2336	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34EA5671-F1DD-11E9-B942-7EE986143E30} = "0"	2336	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2336	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2336	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2336	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	2336	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2576	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{42129011-F1DD-11E9-B942-7EE986143E30} = "0"	2576	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2576	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2576	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2576	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	2576	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2924	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F86F5B1-F1DD-11E9-B942-7EE986143E30} = "0"	2924	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2924	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2924	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2924	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	2924	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 752 wrote to memory of 1116	752	iexplore.exe	IEXPLORE.EXE
PID 2116 wrote to memory of 2168	2116	iexplore.exe	IEXPLORE.EXE
PID 2336 wrote to memory of 2388	2336	iexplore.exe	IEXPLORE.EXE
PID 2576 wrote to memory of 2624	2576	iexplore.exe	IEXPLORE.EXE
PID 2924 wrote to memory of 2976	2924	iexplore.exe	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
752	iexplore.exe
1116	IEXPLORE.EXE
2116	iexplore.exe
2168	IEXPLORE.EXE
2336	iexplore.exe
2388	IEXPLORE.EXE
2576	iexplore.exe
2624	IEXPLORE.EXE
2924	iexplore.exe
2976	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

752 iexplore.exe
2116 iexplore.exe
2336 iexplore.exe
2576 iexplore.exe
2924 iexplore.exe
ursnif family
family

C:\Users\Admin\AppData\Local\Temp\5abdb8b16f503976c3e726521c1f93b927931c00.exe
"C:\Users\Admin\AppData\Local\Temp\5abdb8b16f503976c3e726521c1f93b927931c00.exe"
1⤵
PID:1412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:752

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:752 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2116

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2336

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\16m9s56\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\16m9s56\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\16m9s56\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\16m9s56\imagestore.dat

Download Submit
memory/1116-3-0x00000000054F0000-0x0000000005513000-memory.dmp

Filesize
140KB

Download
memory/1412-0-0x00000000002E9000-0x0000000000301000-memory.dmp

Filesize
96KB

Download
memory/1412-1-0x0000000001C00000-0x0000000001C11000-memory.dmp

Filesize
68KB

Download
memory/1412-2-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads