analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

view_presentation_s1v#405425(1).zip

Full analysis: https://app.any.run/tasks/cd4e5b36-0c5c-434e-b118-8ce53b532280
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 21:07:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F594F1DC380C9D849346D54B59FC0FFF

SHA1:

09C7E1B4C34D3A9DA91745239DD293CB1CC4F98B

SHA256:

60C0A589B3B56488A98E75CE0C9FA8EDBA1E6E197BF83942D57BC210EA526A36

SSDEEP:

6144:4xszvMCSd9wG5H6KN5RMWKlQwId6k2aqMCl8eEKZp:VvMCOHPRM/bIdXPqMNeEKZp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • iexplore.exe (PID: 912)
      • iexplore.exe (PID: 4012)
      • iexplore.exe (PID: 4056)
      • iexplore.exe (PID: 3352)
      • regsvr32.exe (PID: 2784)

    • URSNIF was detected

      • iexplore.exe (PID: 912)
      • iexplore.exe (PID: 4012)
      • iexplore.exe (PID: 4056)
      • iexplore.exe (PID: 3352)
      • regsvr32.exe (PID: 2784)

    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 3084)

  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 3540)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3084)

    • Executed via COM

      • iexplore.exe (PID: 1944)
      • iexplore.exe (PID: 2760)
      • iexplore.exe (PID: 3664)
      • iexplore.exe (PID: 2848)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 912)
      • iexplore.exe (PID: 4012)
      • iexplore.exe (PID: 4056)
      • iexplore.exe (PID: 3352)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 912)
      • iexplore.exe (PID: 1944)
      • iexplore.exe (PID: 4012)
      • iexplore.exe (PID: 2760)
      • iexplore.exe (PID: 3664)
      • iexplore.exe (PID: 4056)
      • iexplore.exe (PID: 2848)
      • iexplore.exe (PID: 3352)

    • Changes internet zones settings

      • iexplore.exe (PID: 1944)
      • iexplore.exe (PID: 2760)
      • iexplore.exe (PID: 3664)
      • iexplore.exe (PID: 2848)

    • Application launched itself

      • iexplore.exe (PID: 2760)
      • iexplore.exe (PID: 3664)
      • iexplore.exe (PID: 2848)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1944)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1944)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: view_presentation_s1v.js
ZipUncompressedSize: 2781774
ZipCompressedSize: 280791
ZipCRC: 0xd3d9c637
ZipModifyDate: 2020:02:21 23:32:17
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
11
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe #URSNIF regsvr32.exe iexplore.exe #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3540"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\view_presentation_s1v#405425(1).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3084"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3540.24794\view_presentation_s1v.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2784"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\\YLHJ.txtC:\Windows\System32\regsvr32.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1944"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
912"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1944 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2760"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4012"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2760 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3664"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4056"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3664 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2848"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
8 971
Read events
2 112
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
34
Unknown types
1

Dropped files

PID
Process
Filename
Type
1944iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4BA8EF7C85E003F7.TMP
MD5:
SHA256:
1944iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC109A2BA9DEFF8DA.TMP
MD5:
SHA256:
1944iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{44CB77DB-54EE-11EA-972D-5254004A04AF}.dat
MD5:
SHA256:
1944iexplore.exeC:\Users\admin\AppData\Local\Temp\CabD5D2.tmp
MD5:
SHA256:
1944iexplore.exeC:\Users\admin\AppData\Local\Temp\CabD5D3.tmp
MD5:
SHA256:
1944iexplore.exeC:\Users\admin\AppData\Local\Temp\CabD5D4.tmp
MD5:
SHA256:
1944iexplore.exeC:\Users\admin\AppData\Local\Temp\TarD5D7.tmp
MD5:
SHA256:
1944iexplore.exeC:\Users\admin\AppData\Local\Temp\TarD5D5.tmp
MD5:
SHA256:
1944iexplore.exeC:\Users\admin\AppData\Local\Temp\TarD5D6.tmp
MD5:
SHA256:
912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\errorPageStrings[1]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
17
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2784
regsvr32.exe
GET
31.184.254.193:80
http://nort.calag.at/api1/_2FVy2r3/cLZsKZqx6vAXl8ZAGYFCqvY/srGjb_2Bxj/X9gTV2071K2z_2Fvf/5s0o2PKW8qj0/T9chkNNFMm_/2F83DDAzsjN_2B/mGIQrN1WjjMMTGqz5Iwc9/_2BLF5UdWKa3K4K1/mHP7NBTSqaefZF_/2BOGyJtFOm8QWRRDYK/AopTF2av8/g5mDEKU9qsAgqEjZxjA4/GZ2W8pF1_2BhVWttlJT/izxlvxvVEzV7SCPzXBzPxK/XqFZPmzce5sju/J07IPJAL/nKi5q_2Ffpjj2R_0A_0DLDa/6MPzMwGZIZP/YAq8w4wBV/olR
RU
malicious
2784
regsvr32.exe
GET
404
31.184.254.193:80
http://ad1.wensa.at/api1/zW9D5h3sR/VXz7kqQpZfhR_2FpK5Kt/G1mqODs3gB4gv_2FDvR/bParI8uizUjPA_2BMmkNjq/ATBTl6m_2FruN/jadX1X1A/2XcNH6dj4rD3w_2B_2BVrCG/uB1_2BbRUA/wkacJ0mvYbMNvkLy1/U9y8p1M_2FQD/vLewHtRLfnM/ceONuIFDyUACEp/qjqhv31EAUIPlEqyXMSEO/fr78AKhsnbV08soB/OXE_2Bt_2F1X1XH/g_2FfWI6o2E6sDyeX1/fBre2rnhD/V2opbxBibizNLtM10_0A/_0DNQUVk6I_2BAPEwiK/gFaHhHiUrE/j0
RU
xml
345 b
whitelisted
2784
regsvr32.exe
GET
404
31.184.254.193:80
http://nort.calag.at/api1/4yh5UTVRk8wmQEu_2/BhQKNUEfoa4f/UT2QWgHyeWS/xIYUf_2Ftof7JP/PCg62cf0ydS9FyRpz6CnI/e8EQ1c6lgUU5F0xw/Ry5QGh9XZPC_2F7/H_2B88zqxlmCpUFFIq/xHDuH6xUv/cU1G_2Fl2EAhudreDLEJ/oQxrCeUj1cbYzhnAel2/FW_2B_2FoAQ6Ag6aSxO7sz/nalGJfsvKRXMF/FiRc0h_2/FnYwBuazTvF088JGQGX6ZlH/9OQ8iMR2hY/LlHim3_2BrJqtO_2F/NwZ4L7T_0A_0/DCKakdLW3xa/Xq_2F5pdlN1D/oHJGWH
RU
xml
345 b
malicious
912
iexplore.exe
GET
404
31.184.254.193:80
http://ad1.wensa.at/api1/C8CLOlTcFOgm9K_2Bl/I7QD6Gckf/Po32hJ3qi2zy3aYi1p5h/68e7TSxHtwHKpTv22_2/ByCSpGz1yEcjWFl_2F7NCd/ZaHVGpRrTKX9q/wAnbCQjm/ZwYdeOX6KOtFIs_2FKxCZHj/cAK0jJO3ib/GAg01zdzCMkrzCz62/zFKZO7X2lewO/aJs4_2Bppc2/cIu60n0qFi1Mch/9KEUpfunxUSiXXvD1QeG3/JRkH0euUzp_2Bwyn/xarCyUUPOPI9l_2/FjmiMO2Uu5pA5FyOIp/_0A_0D1H0/FcWhVb440MdHoC/tvXXjl0O/j
RU
xml
345 b
whitelisted
2784
regsvr32.exe
GET
404
31.184.254.193:80
http://nort.calag.at/api1/DuzThEAS6tVx_2FQj8rv/eKrf4fo90s0BKhLi_2F/L1t9cVcHhLQn1PrfZw9sv3/DMq6kNea0HwUp/xGxGiGv2/IwYLeO6HcHk3fK5AGVWU5Un/_2BD8SAHCj/cbZvKYVNew80N7Azd/_2BvRan0fjbQ/HQo7oy3CGBz/mC2lGmqQz_2FIW/tWkpq5AMBH9FsQ58eqs_2/FgJCYwiyl0oLmrL7/NPOl9lruPEQyvlt/_2B7t7NMVov4Ti4BBh/kWnNzP22_/2F2z4srd4rwgtAgW2urq/_0A_0DU_2Ff_2FgXmiM/rg0mGDOs8/3r8in5zy
RU
xml
345 b
malicious
4056
iexplore.exe
GET
404
31.184.254.193:80
http://nort.calag.at/api1/YboOC3Xooqoen3Gsiu/gpc33MWNc/hK_2FwyfcAKAA46OYF5i/xACs26tO2w9rwHp_2FU/UV27_2BiQBHsA6W6VgNPqI/gXMd31wWYYgDA/gmty4bJj/xa_2FIYCoGRwrI9tbwuSx_2/BZ8FDc7K0r/5x37oKux_2FtTuZRH/Vuj5k4MQTDoT/v6L8fMEhkNX/mfEsWhV4DI0t66/bPiRtw_2FjlmGiakZ3_2F/RisTaC55fQQWMuzI/FX5QIS_2FHkXtSB/6S1to2b72Ks_2BopQs/IX7DbK_0A/_0DHIHRxkzV8F22Vgb3u/Obko83_2F/48
RU
xml
345 b
malicious
2784
regsvr32.exe
GET
404
31.184.254.193:80
http://ad1.wensa.at/api1/Jamb7mpjCE0rrL52sWJ/sO7Msx7Q3RpGo3KVHn9nIS/AKTfUhFnWWpx1/Dh_2BVKo/xnKh6fBqXSPBJQGyZeoqd7n/DzxW8h4jy2/yqa9GegPo7NrQhd_2/FcdQ08P4GpQx/P3QT4HNzZnv/jA5bTCmEqXdXkY/k6tV3TTzG57yOpkkUaOtV/RnpIBbIs2uJHlvqJ/WlsWvY5U6K_2B4d/wHdta7X2FLhXiiRaSi/TXk1rUtLo/yrZMvQu7lFA4TGqLdOTo/ZSh7sEjKxN_0A_0DzGh/TZsPMahTHtojYM24l_2BWR/LL2
RU
xml
345 b
whitelisted
3352
iexplore.exe
GET
404
31.184.254.193:80
http://ad1.wensa.at/api1/C5Wiw_2BCz88wLkMSZx/DFX3bjFz3hXa9A8mw9Y3QM/jCc5eNZ8uD2N7/uHTYKkP8/i4AFMa90vm4bicfm2aTDkhJ/h5QFotYm1q/_2BnSSWqdSN32tA9u/hf6N0XNFuXbz/DEAt9CLtOZ6/LNtf2o6aQOV_2F/0THWuuTydejMHOEPAu9Nj/Rl1aIUbi6Uhu98GU/g_2BVhP6als5iqH/Tz07H_2BxeojAilXGs/bQtS188yF/NqXLUwCoeywL3M0mAuX8/y5z_2B9GeNYCG7IX_0A/_0DGPKYN3MJjOUOWodjytG/DKhKklx
RU
xml
345 b
whitelisted
4012
iexplore.exe
GET
404
31.184.254.193:80
http://ad1.wensa.at/api1/PfsrKIz_2BkX9/fO3_2FGj/oVdAE1c8ySOEY0Cv2bDZZMm/j03f7bQhmb/EcaktXLnk8O9RewTm/UGFhMfbGlehJ/yKKHctPnH_2/FLqqybMClyrLL2/3P_2F20H1X8AIJEABbogT/Cpzo3F7HU5_2Ffo7/bjNpnIYQ08vTn_2/B75hXxGa2VdfcGufiq/4sajs1vMt/vIX6_2B9imlFWqxY0mwl/XW8mNPl5EV6DJu6S1jF/a7raFJ6gCYqSGZ7TenzWY_/2Fwb_2FpqHBAg/knnqZnI4/w_0A_0DZSpjHBqi6zERYokf/LdLxyzEj/xj
RU
xml
345 b
whitelisted
2784
regsvr32.exe
GET
404
31.184.254.193:80
http://nort.calag.at/api1/q72qNfsg6/rFlv_2FfUdk0_2B4SBen/0TLSZszJ0_2Fm3KgTO7/1nLNFUrrySdsClto46oUvU/NdNTcGFyojigN/bQNede8s/vISx3W_2FgBU8MO09LwxPi1/gc3fHtJqPi/dBy1hKHHNyb2npVr8/_2F8jaZ2XNcF/FyXToQmdtff/d3WLE_2BUCzZal/acffIqQYfgdgRvt_2FX0L/T12t5YQnl8MJynk_/2FJ6i_2BWDmJidN/4tOVmqlO1IrLbg_2Ba/35JhA4ufG/nozIkEZ32vaquF1_0A_0/DzUZDfrm1wR_2BfX_2F/abbQ6Y_2/FC5iWS
RU
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1944
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4056
iexplore.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious
2784
regsvr32.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious
912
iexplore.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious
3352
iexplore.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious
4012
iexplore.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious

DNS requests

Domain
IP
Reputation
ad1.wensa.at
  • 31.184.254.193
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
nort.calag.at
  • 31.184.254.193
unknown

Threats

PID
Process
Class
Message
912
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
4012
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
4056
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3352
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2784
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2784
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2784
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2784
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2784
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2784
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
21 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
view_presentation_s1v#405425(1).zip