Ursnif 2019-05-27

VMRay Threat Indicators (21 rules, 67 matches)

Severity	Category	Operation	Count	Classification
4/5	Information Stealing	Exhibits Spyware behavior	1	Spyware
Tries to read sensitive data of: Microsoft Outlook, Internet Explorer / Edge, Mozilla Firefox. ... VTI Actions
4/5	Injection	Writes into the memory of another running process	8	-
"c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe" modifies memory of "c:\windows\explorer.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" modifies memory of "c:\windows\explorer.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" modifies memory of "c:\windows\syswow64\explorer.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" modifies memory of "c:\program files (x86)\internet explorer\iexplore.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" modifies memory of "c:\program files (x86)\mozilla firefox\firefox.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" modifies memory of "c:\program files (x86)\google\chrome\application\chrome.exe". ... VTI Actions Go to Behavior
"c:\program files (x86)\google\chrome\application\chrome.exe" modifies memory of "c:\program files (x86)\google\chrome\application\chrome.exe". ... VTI Actions Go to Behavior
"c:\program files (x86)\internet explorer\iexplore.exe" modifies memory of "c:\program files (x86)\internet explorer\iexplore.exe". ... VTI Actions Go to Behavior
4/5	Injection	Modifies control flow of another process	9	-
"c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe" alters context of "c:\windows\explorer.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" alters context of "c:\windows\explorer.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" alters context of "c:\windows\syswow64\explorer.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" alters context of "c:\program files (x86)\internet explorer\iexplore.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" alters context of "c:\program files (x86)\mozilla firefox\firefox.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" alters context of "c:\program files (x86)\google\chrome\application\chrome.exe". ... VTI Actions Go to Behavior
"c:\program files (x86)\google\chrome\application\chrome.exe" alters context of "c:\program files (x86)\google\chrome\application\chrome.exe". ... VTI Actions Go to Behavior
"c:\program files (x86)\internet explorer\iexplore.exe" alters context of "c:\program files (x86)\internet explorer\iexplore.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" creates thread in "c:\windows\explorer.exe". ... VTI Actions Go to Behavior
3/5	Browser	Changes security-related browser settings	1	-
Disables SPDY/3 for Microsoft Internet Explorer. ... VTI Actions Go to Behavior
3/5	Device	Monitors keyboard input	1	Keylogger
Installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes. ... VTI Actions Go to Behavior
2/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	1	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Behavior
2/5	Information Stealing	Reads sensitive mail data	1	-
Trying to read sensitive data of mail application "Microsoft Outlook" by registry. ... VTI Actions Go to Behavior
2/5	Information Stealing	Reads sensitive browser data	5	-
Trying to read sensitive data of web browser "Internet Explorer / Edge" by file. ... VTI Actions Go to Behavior
Trying to read sensitive data of web browser "Internet Explorer / Edge" by registry. ... VTI Actions Go to Behavior
Trying to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. ... VTI Actions Go to Behavior Go to Behavior
Trying to read sensitive data of web browser "Mozilla Firefox" by file. ... VTI Actions Go to Behavior
Trying to read sensitive data of web browser "Google Chrome" by file. ... VTI Actions Go to Behavior
2/5	Anti Analysis	Delays execution	1	-
One thread sleeps more than 5 minutes. ... VTI Actions Go to Behavior
2/5	Reputation	Known suspicious file	1	Trojan
File "C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe" is a known suspicious file. ... VTI Actions Go to file details Go to Behavior
2/5	YARA	YARA match	1	-
Rule "APLib_Compressed_PE" from ruleset "Generic" has matched on a memory dump for process "sgm_20190527_desfuhohdt.exe". ... VTI Actions Go to YARA match Go to process Go to file details
1/5	Information Stealing	Reads system data	1	-
Reads the Windows installation date from registry. ... VTI Actions Go to Behavior
1/5	Process	Creates process with hidden window	6	-
The process "C:\Windows\explorer.exe" starts with hidden window. ... VTI Actions Go to Behavior
The process "C:\Windows\SysWOW64\explorer.exe" starts with hidden window. ... VTI Actions Go to Behavior
The process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" starts with hidden window. ... VTI Actions Go to Behavior
The process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" starts with hidden window. ... VTI Actions Go to Behavior
The process "cmd" starts with hidden window. ... VTI Actions Go to Behavior
The process "makecab.exe" starts with hidden window. ... VTI Actions Go to Behavior
1/5	Process	Reads from memory of another process	7	-
"c:\windows\explorer.exe" reads from "c:\windows\explorer.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" reads from "C:\Windows\SysWOW64\explorer.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" reads from "C:\Program Files (x86)\Internet Explorer\iexplore.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" reads from "C:\Program Files (x86)\Mozilla Firefox\firefox.exe". ... VTI Actions Go to Behavior
"c:\windows\explorer.exe" reads from "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe". ... VTI Actions Go to Behavior
"c:\program files (x86)\google\chrome\application\chrome.exe" reads from "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe". ... VTI Actions Go to Behavior
"c:\program files (x86)\internet explorer\iexplore.exe" reads from "C:\Program Files (x86)\Internet Explorer\iexplore.exe". ... VTI Actions Go to Behavior
1/5	Process	Creates a page with write and execute permissions	1	-
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. ... VTI Actions Go to Behavior
1/5	Process	Creates system object	10	-
Creates mutex with name "{AE7A4847-3582-10AE-2FC2-3944D3167DB8}". ... VTI Actions Go to Behavior
Creates mutex with name "Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}". ... VTI Actions Go to Behavior
Creates mutex with name "Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}". ... VTI Actions Go to Behavior
Creates mutex with name "Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}". ... VTI Actions Go to Behavior
Creates mutex with name "{7A3DADF8-91AE-BC96-EB4E-55B04F6259E4}". ... VTI Actions Go to Behavior
Creates mutex with name "{4A9E43FA-2179-0C40-FB1E-E5005F32E934}". ... VTI Actions Go to Behavior
Creates mutex with name "{E66674FB-0DD1-08BF-C77A-91BCEB4E55B0}". ... VTI Actions Go to Behavior
Creates mutex with name "{8628A1FE-2D66-A811-E71A-B15C0BEE7550}". ... VTI Actions Go to Behavior
Creates mutex with name "{FA436005-1103-3CE1-6BCE-D530CFE2D964}". ... VTI Actions Go to Behavior
Creates mutex with name "{A6611EF7-CD0C-C847-873A-517CAB0E1570}". ... VTI Actions Go to Behavior
1/5	Information Stealing	Possibly does reconnaissance	1	-
Possibly trying to gather information about application "Mozilla Firefox" by file. ... VTI Actions Go to Behavior
1/5	File System	Creates an unusually large number of files	1	-
Creates an unusually large number of files. ... VTI Actions Go to file details
1/5	Process	Overwrites code	1	-
Overwrites code to possibly hide behavior. ... VTI Actions Go to Hook Information
1/5	Network	Connects to HTTPS server	8	-
URL "pilodirsob.com/images/5qbVQlb0ymuWmr_2FkDD/NVO_2FaAbeais0tlU4Y/q6BT_2B9eGfIoI43LtIhuV/QtnQchMUX6n9F/B3asYZXw/_2FhYDUJMTYaB3PKILEcVcg/WMgDIGrshB/e0T_2F3OwLtl327Jy/bBo858JdBzTI/m9AayoD6ps_/2Box0bRB6Ldta7/Ec_2F84BmjL_2BnKYZQkp/kBMno7exP3mbnkFE/DFUo4OOfG5hYXwg/QTjEpneV/Z.jpeg". ... VTI Actions Go to Behavior
URL "pilodirsob.com/images/ALm9doLlVIZDvXXaVPSD5NU/G9gIRqJdLN/sZhuaaCEFWzkyoqKj/9pFw3rOHHUnw/3eVqlH8JMBb/YM6sRsgoL7b6mo/uZxBYWQozhPbYbk_2FE3f/9dQnckJqipAjCt_2/Fwt0XfhOSi4n4Sv/muG4_2Bsfmf_2BX9cd/W7uCekL9q/zb_2F_2FSyLHWG9lwOh0/h12G3w93FzjEbcw/2TY.gif". ... VTI Actions Go to Behavior
URL "pilodirsob.com/images/t_2Bbwrq/4hGdgyKXBVaYI8sycTeG_2F/7fwTKT5wKm/53_2FI_2F_2BUpoKX/1JUdFqL3BccG/ALIEe9yHqZs/CuBwVyvngvfzHK/j01D3Nd_2BsoELZZgRztf/Hjzmf0XYORqncRr5/nrUwyG5XfT7xNoF/3WbskiH5Xge7m5sju_/2Bh3mTulO/O9vqdGGP1An2dNtNLrrJ/ww899q9EO0SD2Cw6wV5/GuLKDA_2FAdE/viwXv.bmp". ... VTI Actions Go to Behavior
URL "pilodirsob.com/images/VpSwnjfgapjrZm6gIom/TOD75vUMx0nMCen9Uivpm3/5C17VQzgjhR1Y/2RyNWwMc/ubmDPmuEaZgasPIJUIBnukQ/RVFbBOvH6_/2F6abm7B8P2xoLmrb/eNtEQ_2F6FwB/1WdZQWiwsL_/2Bq9YG_2B3mLRZ/t1ISj0P_2Fyy_2FjWUqVh/ijGkia_2BTF3Kwp4/JMZvkFn9bDPuy3c/TnKkY4EZrL7eqh_2FM/_2Fp4Om_2F/KEfjK.bmp". ... VTI Actions Go to Behavior
URL "pilodirsob.com/images/jZqrkd6qeE46/7g6Fv_2FdEu/Do0MeEJh0LLzgG/T8TmZJYtoIN0od3xZNEfQ/2ySDg_2FTQYvHdsB/Rwkc3jVOpBTR_2F/mUe9_2Fp_2BeB_2FaY/5QbnIPuq4/uFrAnYo7qan8xnyHGrIs/fVOVgJP3OsIKrdJaf9L/pSnsMcCFz9ix_2BDc4TnBw/tiOyUqjVKd1KS/_2FTUK8h/6Pj2pznkRvVGrtjN2s5KVzU/Dtli55kT/5.gif". ... VTI Actions Go to Behavior
URL "pilodirsob.com/images/FDqtJFjzhKMo0poCP1/rWlB9yzfz/C9MLfXrVtkvtM1KRACfp/_2FREOHnbbVAGiNGrYJ/FL1rfJ1myGWyIUQThK7qOx/BwesbP_2BnsoP/E0QHPxve/Jo5rlhISU6nZqdz2b8pbMfF/6UvM9pL3MJ/rThvhPESwU6pxyqgR/W1yfVNsWUiWF/Mq681DDK240/f0q9y_2Bdsib48/pFWZGi9Jrpw14ly3VGBeS/DIu.bmp". ... VTI Actions Go to Behavior
URL "pilodirsob.com/images/08fOuvOECMJ8jg/Vv5aYZdsPxbyb3uwFlLX2/pq0B3cl46_2BGd72/_2B0FmNZlKlbphQ/kpCDTXpVwciXqMvCD_/2BiQ9PCiQ/GaXe6ug2L0lbPS6KZ7Ax/iDJPeW9_2BcJ58vWzj9/uWyE2m4Hw2YnmWRdg4_2Fa/THobXHUisDQO7/WutiVtPX/ZssCVCoDsz9MJSynqJJ5CCw/3Kz9.gif". ... VTI Actions Go to Behavior
URL "pilodirsob.com/images/micpyTcOEehAuAs7/_2F_2FaOLGeSfBg/SpqBP8BgrEPPu7fRQk/ZeJOITtHs/YWEqWFBZeXLDHvssfO9r/i_2FIb5Uzc70BiTAWZ9/pW3MoyQFCUx52IDsZSb5d1/NEH549uzpN_2B/_2FSVPr4/NvChszaTrwqyOg_2BEy5Xdb/D687vZ8oiI/0NSSiOjDkO10iDprd/Qviosj1zecPb/eHRsDzQsJxM/44j8owHTlQn/rF.bmp". ... VTI Actions Go to Behavior
0/5	Process	Enumerates running processes	1	-
Enumerates running processes. ... VTI Actions Go to Behavior

Screenshots

Monitored Processes

Sample Information

ID	#57712
MD5	879d9a2c75ee83443a0a913f5dc71b5c
SHA1	41c124f8b5341773046ac9c6b5924b7919e0ac15
SHA256	53f7d917ad9ebf5b7d2ccc1a835083bc0c0b92cc69ee584703ea6e4345f5c457
SSDeep	24576:GmZ5G43EgTDD55vd9lTTwTJvLqWZlzSq05sRlKi9AwvjUkSSX:jZ5rEgPfd9lTmvLq2lY0l+0X
ImpHash	f716ba60b7f16c8a90094437582b28f7
Filename	sgm_20190527_desfuhohdt.exe
File Size	1.10 MB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-06-09 17:05 (UTC+2)
Analysis Duration	00:15:21
Number of Monitored Processes	35
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	0
Number of YARA Matches	1
Termination Reason	Timeout
Tags	#Ursnif

VMRay Threat Indicators (21 rules, 67 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After