12ea4b688f33a5448c08c52d09b6e993b9ee293d09ba673c567c7a6d1ec7b94c

Analysis

max time kernel
132s
max time network
134s
resource
win7v191014

Sharing

Copy URL

Twitter E-mail

General

Target

5abdb8b16f503976c3e726521c1f93b927931c00
Sample

191018-xssrgacz7s
SHA256

12ea4b688f33a5448c08c52d09b6e993b9ee293d09ba673c567c7a6d1ec7b94c

Score

N/A

Malware Config

Extracted

Family

ursnif

Botnet

1000

http://alister-mathmatics.club

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
1.320669898e+09
dga_season
10
dga_tlds
com

ru

org
dns_servers
107.174.86.134

107.175.127.22

rsa_pubkey.base64

1
AAgAANbmcBjNV5tiTgWcPhRrJgQb0kYFfNBWiuaU1J/dJsUiz22VcOLdUDhcUyPN2+UzuwTaogL0vmF9dmRYMI9x6oN/BuzJHLUNqZ/gNh+m2JOChNoIfEGh3N/ijmoEyzeSWf6w7TUqNKZbAAO3TqtXbZ2uKNxL/EHMkS2Ga4fTWv0DlleQejqdZMAKWVnDf8c51Goj2tatdUCuKVfECoOg1QzfXu6NBqT0l3aQ+85KMqaoaIZSf+Sqfy5k0geIgEn7DLO+iGf9gh6xPLQkXX0Z9uMT9GUnz559bt/meLxxF2YsLvQlRl/v8Avr+Kb6BIoetITREEBoDXFbwyhJNrPa2qEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAB

serpent.plain

1
YQiUrgpfMGxlbXo6

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C115E11-F1DD-11E9-B942-7EE986143E30} = "0"	752	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	752	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	752	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee000000000200000000001066000000010000200000004540d1b82186b1797f8ac983d40a0b3092c9656fb1c77d6e0083b1b30db28537000000000e80000000020000200000009289e9f3e0e90427b43d3b1dfce88e1f652219b891539125b4e257ad44c732f720000000d7cdb05c6e02a2a63a58956ccffba1ccfdfcb233a92ad776f121c11c8f0f2a3640000000a7f704a8ade9f927f53f9680723a74bbc431758ee4def557299dd32cd21bd5facc7dc48a05a6be3d179a5addda4aa7fac994d03d835891c70ad0c9cbcfad88ef	752	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f01ee4e3e985d501	752	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee0000000002000000000010660000000100002000000007847e7e6595ceb5765e942e6d7a99d99962074562c9f8c6fa4673cabfc43dcc000000000e8000000002000020000000e0f6292d2d95bb2d6e053a30c048a157b764ab6c34621445d6e3da341bbdd6b090000000d5e748e20b02b3c1ca84835323f7cde16c0db764beeefd7b4f7c6cd19cd173ab6731820265f383f07a2d337108a0ea859ff45e9637e5478bae83745fbe3fb3854c76fe06fe6dcc285089ea67eda45b2edfa15e08191d39f3531dc369999aa27862d349958a6a56c1e09d1b614b68751997c8b67522d2b255508a8576c93db011d33e3c2ca1322f0bd87f0dfe1a03128640000000b7ccda663b1129b3213b48c578cdf90cae7ad324d85688683a55066b26780eb097f03699682c6924364f9d1157430301dfa08a10df1388cbe34250628ea18c3a	752	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2116	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27D2C671-F1DD-11E9-B942-7EE986143E30} = "0"	2116	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2116	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2116	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2116	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	2116	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2336	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34EA5671-F1DD-11E9-B942-7EE986143E30} = "0"	2336	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2336	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2336	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2336	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	2336	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2576	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{42129011-F1DD-11E9-B942-7EE986143E30} = "0"	2576	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2576	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2576	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2576	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	2576	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2924	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F86F5B1-F1DD-11E9-B942-7EE986143E30} = "0"	2924	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2924	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2924	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2924	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	2924	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1116	752	iexplore.exe	30
PID 2116 wrote to memory of 2168	2116	iexplore.exe	33
PID 2336 wrote to memory of 2388	2336	iexplore.exe	35
PID 2576 wrote to memory of 2624	2576	iexplore.exe	37
PID 2924 wrote to memory of 2976	2924	iexplore.exe	41

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
752	iexplore.exe
1116	IEXPLORE.EXE
2116	iexplore.exe
2168	IEXPLORE.EXE
2336	iexplore.exe
2388	IEXPLORE.EXE
2576	iexplore.exe
2624	IEXPLORE.EXE
2924	iexplore.exe
2976	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
752	iexplore.exe
2116	iexplore.exe
2336	iexplore.exe
2576	iexplore.exe
2924	iexplore.exe

ursnif family
family

C:\Users\Admin\AppData\Local\Temp\5abdb8b16f503976c3e726521c1f93b927931c00.exe
"C:\Users\Admin\AppData\Local\Temp\5abdb8b16f503976c3e726521c1f93b927931c00.exe"
1⤵
PID:1412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:752

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:752 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2116

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2336

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:2924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2976

Network

No results found

224.0.0.252:5355

128 B
2
224.0.0.252:5355

132 B
2
224.0.0.252:5355

128 B
2
8.8.8.8:53

go.microsoft.com

76 B
171 B
1
1

DNS Request

go.microsoft.com

DNS Response

23.66.21.99
224.0.0.252:5355

128 B
2
224.0.0.252:5355

128 B
2
224.0.0.252:5355

132 B
2
224.0.0.252:5355

128 B
2
8.8.8.8:53

alister-mathmatics.club

83 B
153 B
1
1

DNS Request

alister-mathmatics.club
8.8.8.8:53

go.microsoft.com

76 B
171 B
1
1

DNS Request

go.microsoft.com

DNS Response

23.66.21.99
224.0.0.252:5355

128 B
2
239.255.255.250:1900
10.7.0.255:137

3.1kB
33
224.0.0.252:5355

132 B
2
8.8.8.8:53

go.microsoft.com

76 B
171 B
1
1

DNS Request

go.microsoft.com

DNS Response

23.66.21.99
8.8.8.8:53

go.microsoft.com

76 B
171 B
1
1

DNS Request

go.microsoft.com

DNS Response

23.66.21.99
239.255.255.250:1900

1.1kB
6
8.8.8.8:53

go.microsoft.com

76 B
171 B
1
1

DNS Request

go.microsoft.com

DNS Response

23.66.21.99

224.0.0.22

120 B
2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-3-0x00000000054F0000-0x0000000005513000-memory.dmp

Filesize
140KB

Download
memory/1412-0-0x00000000002E9000-0x0000000000301000-memory.dmp

Filesize
96KB

Download
memory/1412-1-0x0000000001C00000-0x0000000001C11000-memory.dmp

Filesize
68KB

Download
memory/1412-2-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.