File name:	my_attach.vbs
Full analysis:	https://app.any.run/tasks/6266179b-73cf-456e-a426-bb63a60604f2
Verdict:	Malicious activity
Threats:	Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. Malware Trends Tracker >>>
Analysis date:	December 06, 2019, 20:07:05
OS:	Windows 10 Professional (build: 16299, 64 bit)
Tags:	trojan gozi ursnif
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines, with no line terminators
MD5:	B2FA349DB7D42A0AA2FAD4FAF5E9B758
SHA1:	4B91CD990F5FE83C68C3859D2C9675EAEA71A845
SHA256:	3E37181D622725EA89A449F574D7AA680913B7D03CF1F3881C14AFF7DBCE0DA5
SSDEEP:	6144:bXuCOyk/8kohMCXvsqzpUiKMuwT1r4igOiTpSzcCOIVcyTYujPzYWGlbi6x3GGLm:bXuCX

PID	CMD	Path	Indicators	Parent process
2428	"C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\my_attach.vbs.flm	C:\WINDOWS\system32\rundll32.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800)
4908	C:\WINDOWS\system32\OpenWith.exe -Embedding	C:\WINDOWS\system32\OpenWith.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800)
2216	C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding	C:\WINDOWS\System32\rundll32.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800)
444	"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\Desktop\my_attach.vbs"	C:\WINDOWS\System32\WScript.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384
1020	"C:\Windows\System32\rundll32.exe" "C:\Users\admin\Music\\4923.dll",DllRegisterServer	C:\Windows\System32\rundll32.exe	—	WScript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 10.0.16299.15 (WinBuild.160101.0800)
1744	"C:\Windows\System32\rundll32.exe" "C:\Users\admin\Music\\4923.dll",DllRegisterServer	C:\WINDOWS\SysWOW64\rundll32.exe		rundll32.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 10.0.16299.15 (WinBuild.160101.0800)
3696	"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Low-Mic Utility Tool Exit code: 0 Version: 11.00.16299.371 (WinBuild.160101.0800)
968	"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding	C:\Program Files\Internet Explorer\IEXPLORE.EXE		svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.16299.15 (WinBuild.160101.0800)
268	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:9474 /prefetch:2	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE		IEXPLORE.EXE
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800)
1960	"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding	C:\Program Files\Internet Explorer\IEXPLORE.EXE	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.16299.15 (WinBuild.160101.0800)

PID	Process	Filename		Type
968	IEXPLORE.EXE	C:\Users\admin\AppData\Local\Temp\~DFA7639C1A30814CEB.TMP		—
		MD5:—	SHA256:—
968	IEXPLORE.EXE	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URLD50E.tmp		—
		MD5:—	SHA256:—
968	IEXPLORE.EXE	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_637112583037787270.bin		—
		MD5:—	SHA256:—
968	IEXPLORE.EXE	C:\Users\admin\AppData\Local\Temp\~DF271A169B26DEBA6F.TMP		—
		MD5:—	SHA256:—
968	IEXPLORE.EXE	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5D19D9CC-1864-11EA-B466-5254004AAD11}.dat		—
		MD5:—	SHA256:—
968	IEXPLORE.EXE	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{5D19D9CE-1864-11EA-B466-5254004AAD11}.dat		binary
		MD5:C1A97E6BEE0AF35511C927DD4414F154	SHA256:872463711BDB4856F2124E35F2B34E58C204189FDD690B118E0F8E8462B1B9F4
968	IEXPLORE.EXE	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml		xml
		MD5:7B165537366E1C0B70FDEFA513C9BC46	SHA256:AB612C94D01DCEF9F693FA9770C2992815B2766A761E46F35D531FC6975A0DA3
444	WScript.exe	C:\Users\admin\Music\4923.dll		executable
		MD5:9961B509E47A191B9ECF1FE3F8317B36	SHA256:F6A1BF17A073827A8E5F272A762006DB21116FD71EF27191D41853687DD907E0
968	IEXPLORE.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLJYL64M\l1[1].dat		binary
		MD5:D457E0FCF68D7B56A58FD815F1C7380C	SHA256:BD2DE28B01ABC157664005AC917F254731E2BD7C92A632BF22873466BBBFEF7C
1960	IEXPLORE.EXE	C:\Users\admin\AppData\Local\Temp\~DF639DB861A0DB019C.TMP		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4528	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/48ag1MDSs_2FXUGb6/DbwTownfBWzb/rlv7Y79TcY7/ZDaSBziNEgsyKO/F88iktodqkL_2BXeeDY4m/IVpuYli7qZJJyqQy/xpjZG5yFthgtOoB/xmI1_2FQt6ztijOKWy/Y_2BgSZxO/C_2BcU_2B3AQKCEissr3/iiI2iA50tNDSzqKRkWc/8XQAIUKRqLXG_2B6euYmWf/WunrjZM4UG3bN/Wf5jyoTA/8Vi_2BD9ITpRae1DM2CWYxc/095yxgh3nd/iN5pGTSss1TN3z_2F/k1Ikh_0A_0DX/U86PL05MiNn/uTZquYO2SB/2C7R	US	html	106 b	malicious
3336	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/Gs5rd76x_2FAtai/G4RCaeiMOqId7NO3mO/dhQAqClsk/c7OKawUKhdkwFsJAb3Rv/s2eCzrZwYRLxCo6JViQ/ByZB57zkZSuIDK25wCKzO_/2FW2zDItjKbqj/Bb5dPLHt/WRcN0l33rRefg4A_2FWFCpz/P8Lz_2BnTj/Z7R63THD4r9qfeZj3/OwEMciiZc5ry/2jRxV_2F7vY/b4g6i9BA9QN3Rq/47UgxXG2AwRZ9s5ZrQLDV/k_2BgafcXVreDfMs/C4wWoJQ_2Bkydnu/d_2BZ_0A_0DYD7sQ4t/toSKk1a70q5VHs/Ia1FY	US	html	106 b	malicious
4212	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/z4Qu9nTrXP/H9_2BZEbdpvYJL8D2/clpp3wRMB61c/ioHhc3MZFhT/vsPWkDbIHmocOH/wia7WNyVIGKK5K3Fwk6xI/X440w0QocJckQDKq/Y3suDC3g4BVRUhG/txGezJkYoYxTiaIOiY/FqgCvWhqi/GAw8ZjWwB_2BNyYC2WQM/tEEZc1mMjpK26MtCcga/u9USV_2BKxPZRLHsKvyJFV/p9IB8V4bCnlu0/5ZPHPT6a/RD8Le0AjJSWvas2C4shD_2F/HGgX_2FCDv/DFy4_0A_0DOROEvyo/KzdwJ7Enbal2u/h4g7uo	US	html	106 b	malicious
4504	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/7pUxgRk40CBx_2FtR/2G7wjpSfnTbe/btGUg_2FH9M/qk0hxyYSFn4Mcm/oBkyUyCQJEdHKf1h_2Fs0/1VcPpxWNlD6bSVeg/z_2FxaqYdQGPRfU/4Q_2FGlPvfh1h0Bmvr/e3nVmPHnD/_2BxmQilLx4Wan4Lnm09/8eVwzjdr9mw4SF9atXD/83zIdinI8HmzIeQ5cVDjBy/xUnfJItlIdUfO/pXXj95Q6/m6AR_2B1gyR_2Bn1vAibx83/ytrZEzwIoJ/lnlIDwhs6arXmGP_2/Ff_2Bov_0A_0/D07pLtBiqE7/0zVPQhFom71sPj/Ls	US	html	106 b	malicious
2312	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/WAe5FAUpxu/_2F82FJXpNM1FiPMf/vCuxlVkNdNVx/Ni_2BB_2BlR/Siq2DAA8cbfKqG/OiUbJC5HwLkfYQLbhtquc/K_2BD2HXhG9Ec8za/Hm8MaHXyst6_2Fb/9KH3HE2hVnZD_2Fp9o/aWJUJJ74M/GJsjdPsmxTDYu3BlkeWG/zm_2Fk_2FHFF5uYYUyT/IM_2BYTpe1BwGkKvrRwFrO/_2B02VSPdXfAg/vpWKHDKO/EzhWVhLii19pAoTVKRHGLJD/WZU_2BNLDK/H7xUKYaHerwi9kMg_/0A_0DXB5lZRd/6tFIed8x1/BAa7shRY/mB	US	html	106 b	malicious
696	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/izlFuoDfS9Y/NsLsiX0bpTmMmZ/eEHTay8FtmGlLGDIJjFMA/soNEEf8DOmSXPlzg/Fm2W9M02WtKqvPo/YQrMJwa2BAodWHpT_2/BJxUPAaYH/AVkCaREG8vlLembP2skJ/6lX0e_2F0iIMfVMM9PL/XJEBxR8_2BsHksir9_2BH_/2FkAMHEIV5YZB/Xg9F6YCb/zo9tz2FQ5sFzwUGpl9TllO3/gsraQXaxH2/CA_2Bx58Lt5BdEW8d/CKknwS2BWOMd/2YV3Tuz7DMI/NCi_2Fc_0A_0DL/azIRHDidMUPT_2BUZG9pD/qGfdkm	US	html	106 b	malicious
4040	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/D4iZ5W09GOxKBzfaE9g/Z8UTjMlZ9Xgrp4tZa5oQHS/faFqr_2BUfaCn/CTML_2BT/z98CuGj_2F05ETpGX2JYANP/ZDVmJjLaMU/3zuVejeVEEibh6jku/sBoYIIaO4tZm/3em24owCFiB/Cjyi_2B0yP1Qip/PwSUqP1k_2F6SKRClpfaE/emMGQ6JELGNs2He7/KjgFxhmED_2BarQ/dOGkFUyksFmXPvfulh/OLtAnmiuG/ZRAI_2BjFpeYQmFfijzO/LSNav_2BNtShpPAxfXe/r_0A_0DKuZzV9sTQmzbSmz/2LdTvLQEd3/Q	US	html	106 b	malicious
1704	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/Qmk1xKp2xA/vumg4utzqweNPpNtv/UNAQMTzSua5g/rxvBnv7tqYQ/O_2FKt3i8gXMNS/XarVSrYXQqyyklj_2Bs_2/F5cm67ihZ25NyJXk/0SXkwmqR_2FeiEB/_2FW0JXIG_2FlfA_2B/0nxdfFNNe/Bs162_2F_2FLmU7Fg3A2/oCSz_2FuSA0N6_2B4KL/bz4Ps6glvgglvu5pMdB2It/eBEx2UQjTWDJ_/2Fd0xg6E/Wmv560D2bwT7NTLdA4TuOK1/9AAR5o05k_/2FRi9Lk6MyeH1fZlF/cNp_0A_0Db6y/AKTH7xKRR9i/ZiWfzmxR_2BX/CB	US	html	106 b	malicious
4008	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/sBzYaKwN5nV/LtFVQrJdwunI44/45S19vJKb9HPn9pczE_2F/PrvD69mFZzpuLTNE/r_2FBRMwFYR70FQ/kWK2g4_2F2Xo9owTTG/uZrl2RMTj/73QjOEGZ8mEau2j92EuU/rvOqXM6cgOOzdMyFhKs/wwKukyQWPGDwM1N5mfMbhX/9c1L5Ah3dV_2F/W_2FkC3A/VR2xdDGkUpY7Yypq1Frb73P/fYgu0Fa1ix/eu6T9AcElOaGBsxrY/_2BLvMvUT7cZ/SRHm0Y33PKI/_2BMqpH_0A_0Dt/qFTCcNhL7mLwf45akDSEP/xggv	US	html	106 b	malicious
756	IEXPLORE.EXE	GET	404	8.208.24.139:80	http://w8.wensa.at/api1/9QVKYz7ly/4OVd8InPlrWOwCvv7Mc9/dRl_2FWBdigeFoVZRed/AMuxctXwVL1GSyEMN0tYOF/dlEh1qmd8g_2F/QuI1Q0d5/biUyLtuz5tBnyS5rI8eduvh/Qe6OvQq_2B/PxumSUb8viGTGuw_2/B_2FC2Q1Xprj/2rHI_2FliDb/XAirb5_2FojzTz/D8SZv5MTDjtO6KA33M5xQ/_2B7OH87ZPLfups4/RvwqT_2F2D6wusp/GxOPbo4DMwOuFqEbgK/93qdTPAU3/8LUBy05xYSdZy_0A_0D1/5CxvVse0vHfA8kmvdFF/a3AfHn	US	html	106 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
968	IEXPLORE.EXE	152.199.19.161:443	iecvlist.microsoft.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
1744	rundll32.exe	193.183.98.66:53	—	Prometeus di Daniela Agro	IT	malicious
268	IEXPLORE.EXE	8.208.24.139:80	w8.wensa.at	Level 3 Communications, Inc.	US	malicious
4528	IEXPLORE.EXE	8.208.24.139:80	w8.wensa.at	Level 3 Communications, Inc.	US	malicious
968	IEXPLORE.EXE	137.117.243.30:443	c.urs.microsoft.com	Microsoft Corporation	NL	unknown
2980	IEXPLORE.EXE	8.208.24.139:80	w8.wensa.at	Level 3 Communications, Inc.	US	malicious
2312	IEXPLORE.EXE	8.208.24.139:80	w8.wensa.at	Level 3 Communications, Inc.	US	malicious
4412	IEXPLORE.EXE	8.208.24.139:80	w8.wensa.at	Level 3 Communications, Inc.	US	malicious
3124	IEXPLORE.EXE	8.208.24.139:80	w8.wensa.at	Level 3 Communications, Inc.	US	malicious
2116	IEXPLORE.EXE	8.208.24.139:80	w8.wensa.at	Level 3 Communications, Inc.	US	malicious

Domain	IP	Reputation
self.events.data.microsoft.com	52.114.132.73	whitelisted
nexusrules.officeapps.live.com	52.109.8.21	whitelisted
w8.wensa.at	8.208.24.139	unknown
iecvlist.microsoft.com	152.199.19.161	whitelisted
c.urs.microsoft.com	137.117.243.30	whitelisted

General Info

my_attach.vbs

B2FA349DB7D42A0AA2FAD4FAF5E9B758

4B91CD990F5FE83C68C3859D2C9675EAEA71A845

3E37181D622725EA89A449F574D7AA680913B7D03CF1F3881C14AFF7DBCE0DA5

6144:bXuCOyk/8kohMCXvsqzpUiKMuwT1r4igOiTpSzcCOIVcyTYujPzYWGlbi6x3GGLm:bXuCX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

URSNIF was detected

Connects to CnC server

SUSPICIOUS

Executed via COM

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Uses RUNDLL32.EXE to load library

INFO

Manual execution by user

Reads the hosts file

Changes internet zones settings

Reads internet explorer settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings