analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Mayo_PDF_029228_HSGS_2019.vbs

Full analysis: https://app.any.run/tasks/d1ae80f3-f30b-4050-83ec-bc2acf2b7e0d
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 08:11:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ursa
opendir
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

B866A14C06CF7554D3B80B443AC1CA51

SHA1:

B2A98DB9B78488B1E8F91856D89D3F74E607E689

SHA256:

0B402C85493020D8B0004E8054909F209B29B864490673A7C58E3321C53B0E6C

SSDEEP:

96:kEQrVG5yPxgXRmkkIkIkWuNPkoPwWd5bh+ooCjmcclxYQNIUHs7Quap:kEQrVoyP2XRmkkIkXWuNPkoPwWdp7oCA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2648)
      • SearchProtocolHost.exe (PID: 1256)

    • URSA was detected

      • WScript.exe (PID: 2936)

    • Writes to a start menu file

      • rundll32.exe (PID: 2648)

    • Connects to CnC server

      • rundll32.exe (PID: 2648)

  • SUSPICIOUS

    • Connects to server without host name

      • WScript.exe (PID: 2936)
      • rundll32.exe (PID: 2648)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2936)

    • Uses RUNDLL32.EXE to load library

      • WScript.exe (PID: 2936)

    • Creates files in the user directory

      • rundll32.exe (PID: 2648)

    • Reads Environment values

      • rundll32.exe (PID: 2648)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URSA wscript.exe rundll32.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2936"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Mayo_PDF_029228_HSGS_2019.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2648"C:\windows\system32\rundll32.exe" c:\ayqarqibpekq\ehwkd.dll,ehwkdC:\windows\system32\rundll32.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1256"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
321
Read events
300
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
2936WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ny21[1].htm
MD5:
SHA256:
2936WScript.exeC:\Users\Public\pr21
MD5:
SHA256:
2936WScript.exe\Device\HarddiskVolume2\ayqarqibpekq\ehwkd1.dkw
MD5:
SHA256:
2936WScript.exeC:\Users\Public\pr24
MD5:
SHA256:
2936WScript.exeC:\Users\Public\pr2sq
MD5:
SHA256:
2648rundll32.exeC:\Users\Public\LWX
MD5:
SHA256:
2936WScript.exeC:\Users\Public\S_text
MD5:D112A10FAC2C651C2C80F93B0DAD3647
SHA256:D46EBCC528AB8867119A61DCB7EA879054A30D1E6E15CA55991F16F427EBE33A
2936WScript.exeC:\Users\Public\ehwkdsq.zipcompressed
MD5:CEE363CE0D10C065CD64B4F9DF6943FE
SHA256:D4BC9169C4DFEA2C99AA7A4FD8FEB51B15CA16A5A1A7B2F1FEA7C5B380E426F0
2648rundll32.exeC:\Users\Public\S-text
MD5:AEB689BC5ACDA228972E938C9060D244
SHA256:4FF1C238F9285BA9E2302C4A4FD790C2A581CE24D3BEA34858728A17D16A4416
2936WScript.exeC:\ayqarqibpekq\ehwkd.dllexecutable
MD5:8F0FFAF35685315CD82D8393448CED22
SHA256:6647251730A37C770FBF425B173BF531DF3B0B5AC53373969B97C31BCFA9CCEE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2936
WScript.exe
GET
200
217.182.43.135:80
http://217.182.43.135/pr2a.php
FR
text
53 b
malicious
2936
WScript.exe
GET
200
217.182.43.135:80
http://217.182.43.135/pr2a1.ny2
FR
compressed
3.58 Mb
malicious
2936
WScript.exe
GET
200
217.182.43.135:80
http://217.182.43.135/pr2asq.ny2
FR
binary
443 Kb
malicious
2936
WScript.exe
POST
200
217.182.43.135:80
http://217.182.43.135/ny21.php
FR
text
5.66 Kb
malicious
2936
WScript.exe
GET
200
217.182.43.135:80
http://217.182.43.135/m/pr2266.ny2
FR
binary
39.6 Kb
malicious
2648
rundll32.exe
POST
200
217.182.43.135:80
http://217.182.43.135/
FR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2648
rundll32.exe
217.182.43.135:80
OVH SAS
FR
malicious
2936
WScript.exe
217.182.43.135:80
OVH SAS
FR
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2936
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Downloader UserAgent
2936
WScript.exe
Potentially Bad Traffic
ET USER_AGENTS [PTsecurity] Possible Trojan.Downloader UserAgent (binary_getter)
2936
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Downloader UserAgent
2936
WScript.exe
Potentially Bad Traffic
ET USER_AGENTS [PTsecurity] Possible Trojan.Downloader UserAgent (binary_getter)
2936
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Downloader UserAgent
2936
WScript.exe
Potentially Bad Traffic
ET USER_AGENTS [PTsecurity] Possible Trojan.Downloader UserAgent (binary_getter)
2648
rundll32.exe
A Network Trojan was detected
ET TROJAN Ursa Loader CnC Checkin
2648
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Guildma.AJ
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Mayo_PDF_029228_HSGS_2019.vbs