Ursnif Malware — behaviour and removal
Follow on: Linkedin & Twitter
In this article we provide a detailed analysis of the Ursnif malware (previously introduced: Ursnif, attacks in Italy – LINK), identifying its infection and persistence characteristics.
MITRE ATT&CK applied to Ursnif
The infection chain resembles that of other malware:
- an email sent with a malicious attachment
- execution of PowerShell commands
- download and execution of the Trojan.
Using the MITRE ATT&CK matrix (MITRE’s Adversarial Tactics, Techniques, and Common Knowledge) we can map the malware’s characteristics (techniques and tactics) and correlate it with samples exhibiting identical behavior.
Malware Details
| Info | Value |
|
MD5
|
ab33b0f6560c16133339182b8c5030ce |
| SHA1 | 261cb3e5595f4cca5a0c0a12006288e48a8f6d1e |
| SHA256 |
0ce4392261f6d8d0a2fa666b649860716527f41ea90de948fb03affed69a50ac |
| VirusTotal | VirusTotal Link |
The malware was compressed with the UPX 3.0.6 packer:
The PDB Path allows us to extend the search to other samples not covered in this analysis, but which we consider valuable for tracking the offensive operations of the criminal group:
| PDB Path: | y:\test4\zzz1\Release\zzz1.pdb |
| Related malware
(same PDB path): |
HYBRIDANALYSIS LINK |
Dynamic Malware Analysis
During the startup phase, the malware performs a series of operations. Through WMIC commands it executes activities for persistence by exploiting registry keys, then injects itself via PowerShell into system processes (explorer.exe). Our Managed Detection and Response capabilities have identified this injection pattern as a critical indicator of compromise requiring immediate containment.
Network indicators of compromise for Ursnif malware infection:
| DNS requests |
| ninasukash[.]com |
| cjwefomatt[.]com |
Have we been compromised?
To identify potential compromises within corporate infrastructure, it is necessary to search firewall, proxy, or router logs for the domains: “ninasukash[.]com” and “cjwefomatt[.]com“.
To verify whether a workstation has been affected by this malware, multiple tools exist for Incident Response activities. For manual inspection, anomalies can be identified in registry keys used by the malware for system startup, located at the following path:
HKCU:\Software\AppDataLow\Software\Microsoft\
Persistence Details
For persistent access to the compromised system, the malware is embedded within registry keys through an attack known as a fileless attack (T1547.001 – Registry Run Keys / Startup Folder). Nothing is written to disk and the malware is injected into system processes during operating system startup.
“C:\Windows\system32\wbem\wmic.exe” /output:clipboard process call create “powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty ‘HKCU:\Software\AppDataLow\Software\Microsoft\89726C36-545A-A301-A6CD-C8873A517CAB’).crypptsp))”
The malware creates a series of registry subkeys at the following path (the final portion is randomized):
HKCU:\Software\AppDataLow\Software\Microsoft\89726C36-545A-A301-A6CD-C8873A517CAB
The Ursnif malware, positioned within the key “89726C36-545A-A301-A6CD-C8873A517CAB“, is executed at RUN via the command:
powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty ‘HKCU:\Software\AppDataLow\Software\Microsoft\89726C36-545A-A301-A6CD-C8873A517CAB’).crypptsp))
Offensive Infrastructure Systems
The Ursnif variant analysed is part of a malware campaign initiated on 11 November and is characterised by the root folder “YER” used by the malware distribution system. Recent tracking has identified additional Ursnif campaigns by the team at Reaqta:
- “WES” from November 5 to the present.
- “TJY” from October 29 to November 5.
- “RUI” from October 16 to October 28.
- “TNT” from August 22 to October 11.
Network indicators of compromise associated with the latest malware campaign:
| Domains: | |
| ninasukash.com | |
| cjwefomatt.com |
This class of malware creates and dismantles infrastructure in short timeframes. Once infection is initiated, systems are decommissioned and abandoned:
The access panel used for command-and-control server administration:
Frequently these servers are misconfigured, permitting analysts to access valuable information, as observed in this instance:
Technical Implications
Effective response to this threat class requires specialist capability to identify and track attacker infrastructure, enumerate affected systems, and restore security posture across compromised endpoints and network resources. Rapid identification of command-and-control domains, coupled with analysis of misconfigured administrative interfaces, remains critical to limiting dwell time and lateral movement within enterprise environments.
