analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://drive.google.com/uc?id=1Ki-mvVkq3eDrJKl6anElzsbxO9KoON8t&export=download

Full analysis: https://app.any.run/tasks/74094649-696a-42fb-80e1-42136d15f9b1
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 30, 2020, 19:41:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
Indicators:
MD5:

AC0886F0CD72B8174FD8206177ED860A

SHA1:

B8A33650E046C16482F5792B82F5134D912198FE

SHA256:

3233CC746120ED31C6793DEF5E037A42BF557577376770A5F74D67245C503000

SSDEEP:

3:N8PMMtZJu2NMu3M1TmBVfWHs5M:2A2H3EmSHN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 2728)

    • Connects to CnC server

      • iexplore.exe (PID: 2800)

    • URSNIF was detected

      • iexplore.exe (PID: 2800)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2728)

    • Executes scripts

      • WinRAR.exe (PID: 2616)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3328)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2800)
      • iexplore.exe (PID: 3328)

    • Creates files in the user directory

      • iexplore.exe (PID: 2800)
      • iexplore.exe (PID: 3328)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3328)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2800)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3328)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3328)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe #URSNIF iexplore.exe winrar.exe no specs wscript.exe regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3328"C:\Program Files\Internet Explorer\iexplore.exe" "https://drive.google.com/uc?id=1Ki-mvVkq3eDrJKl6anElzsbxO9KoON8t&export=download"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2800"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3328 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2616"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\my_attach_z8r_399116.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2728"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2616.17240\my_attach_z8r.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2068"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\\IOmGWiIeGfi.txtC:\Windows\System32\regsvr32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
11 331
Read events
2 211
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
31
Text files
18
Unknown types
9

Dropped files

PID
Process
Filename
Type
2800iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7B24.tmp
MD5:
SHA256:
2800iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7B25.tmp
MD5:
SHA256:
3328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3328iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF88BCE0830803815C.TMP
MD5:
SHA256:
3328iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\my_attach_z8r_399116.zip.qcw5v5x.partial:Zone.Identifier
MD5:
SHA256:
2616WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2616.17240\my_attach_z8r.js
MD5:
SHA256:
2800iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29der
MD5:75D636BF532AFFBC75F461235C3B4D5C
SHA256:727247C8DCAC2B6B8A4F5890F1BCE6F8AF87B49BC38F97308E706A6A313B66AF
2800iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29binary
MD5:6AA280F05CE45180C6DC0ED9AA287DA7
SHA256:E7E6EC137025C9B1C876E164F482386CB0B6C4D07E6BCDE5EB90AD64C8063EDE
2800iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:85A044CE976CEFBD1B9B536657807FA7
SHA256:CB757862F66C22C2D4EB322DCF152CAB52F081160413192BCA8054A949DC5EC1
2800iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72binary
MD5:5CB7E4F7E5D0B55FF15532E79A693711
SHA256:4DB4A9A9E623ABC2A5E835A42D09217BFF5373436627B6D264848C98C2E42C15
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
20
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2800
iexplore.exe
GET
404
84.38.180.166:80
http://f1.pipen.at/api1/zbeiV6wwrPnrbbJ5s/_2FkhEua_2Be/LXe3sOpeP7L/9PC0nypd1XsmQ_/2BRqdrCIq41NlleyKfX2y/XjSSHbwn_2FVMCXA/CNfkIzN3UCb1eca/dWgO7OEoll9A83osQ6/yH9_2Fgso/XdhWMUJTdaAoZ0o92lTh/Cl_2Bg1WWRKiXnCTeXM/svwJz4Gg9NCX2ZHGowO5FJ/uIT3t4ElzdRot/_2BR9ulY/125Zgs4d8QY2D_2BCVU6rnI/zvYktJJxxb/utdNRC9RtZTlFQLuJ/m1Q_0A_0Dmfm/VfmPXbjDcr_/2F4k_2BNnJLhmm/3R
RU
html
123 b
malicious
2800
iexplore.exe
GET
200
172.217.18.163:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2800
iexplore.exe
GET
200
172.217.18.163:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFOOHQjK5IlqCAAAAAAyCmA%3D
US
der
471 b
whitelisted
2800
iexplore.exe
GET
200
172.217.18.163:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDL%2FQslYWVuogIAAAAAXGdc
US
der
472 b
whitelisted
3328
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3328
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3328
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3328
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3328
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3328
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3328
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3328
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2800
iexplore.exe
172.217.16.193:443
doc-0g-9s-docs.googleusercontent.com
Google Inc.
US
whitelisted
3328
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2800
iexplore.exe
172.217.23.174:443
drive.google.com
Google Inc.
US
whitelisted
2800
iexplore.exe
84.38.180.166:80
f1.pipen.at
Private higher education institution autonomous nonprofit organisation 'Regional Finance and
RU
malicious
2800
iexplore.exe
172.217.18.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3328
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
drive.google.com
  • 172.217.23.174
shared
ocsp.pki.goog
  • 172.217.18.163
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
doc-0g-9s-docs.googleusercontent.com
  • 172.217.16.193
shared
dns.msftncsi.com
  • 131.107.255.255
shared
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
f1.pipen.at
  • 84.38.180.166
unknown

Threats

PID
Process
Class
Message
2800
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://drive.google.com/uc?id=1Ki-mvVkq3eDrJKl6anElzsbxO9KoON8t&export=download