analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

job_presentation_g2s.js

Full analysis: https://app.any.run/tasks/bc9e99f8-9dc1-44ca-a59c-05ac6d30ef77
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: February 22, 2020, 00:10:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

29B39338849F9C254F1C930E0811C8BB

SHA1:

A0FB6C1A9B2797E1498B3876DAB36DA96D55F33D

SHA256:

81918E536EB758639ECDECCA1CB8FDE17285CCFC840711C51671DA0B2688B802

SSDEEP:

3072:LbqynsZU+oJ4riJOpgWFxbMI7TZy+YNWjdWODY5CvDjaZ6h38cO2WChcAUPdIN5P:w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 3968)

    • URSNIF was detected

      • iexplore.exe (PID: 1932)
      • iexplore.exe (PID: 1544)
      • iexplore.exe (PID: 2652)
      • iexplore.exe (PID: 3316)
      • regsvr32.exe (PID: 3808)

    • Connects to CnC server

      • iexplore.exe (PID: 1932)
      • iexplore.exe (PID: 1544)
      • iexplore.exe (PID: 2652)
      • iexplore.exe (PID: 3316)
      • regsvr32.exe (PID: 3808)

  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 2276)
      • iexplore.exe (PID: 2152)
      • iexplore.exe (PID: 3068)
      • iexplore.exe (PID: 2680)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3968)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1932)
      • iexplore.exe (PID: 2276)
      • iexplore.exe (PID: 2152)
      • iexplore.exe (PID: 1544)
      • iexplore.exe (PID: 3068)
      • iexplore.exe (PID: 2652)
      • iexplore.exe (PID: 2680)
      • iexplore.exe (PID: 3316)

    • Changes internet zones settings

      • iexplore.exe (PID: 2276)
      • iexplore.exe (PID: 2152)
      • iexplore.exe (PID: 3068)
      • iexplore.exe (PID: 2680)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1932)
      • iexplore.exe (PID: 1544)
      • iexplore.exe (PID: 2652)
      • iexplore.exe (PID: 3316)

    • Application launched itself

      • iexplore.exe (PID: 2152)
      • iexplore.exe (PID: 3068)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2276)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2276)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe #URSNIF regsvr32.exe iexplore.exe #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3968"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\job_presentation_g2s.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3808"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\\SPMtc.txtC:\Windows\System32\regsvr32.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2276"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1932"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2276 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2152"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1544"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2152 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3068"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2652"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3068 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2680"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3316"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2680 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
8 257
Read events
1 410
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
7
Text files
33
Unknown types
3

Dropped files

PID
Process
Filename
Type
2276iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF0412C4B1586C8FDF.TMP
MD5:
SHA256:
2276iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5BE773DF84D4963C.TMP
MD5:
SHA256:
2276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{EBF24D5F-5507-11EA-972D-5254004A04AF}.dat
MD5:
SHA256:
3968WScript.exeC:\Users\admin\AppData\Local\Temp\pwkrZgaluM.DKBRtext
MD5:66FDE140B0DBED7406AA0682757414DF
SHA256:DF5BEC366C0CF37050C4E2DEF107BDB79BD9CC9D036E926195D034B10A05948B
3968WScript.exeC:\Users\admin\AppData\Local\Temp\SPMtc.txtexecutable
MD5:6ABBB6845BFBCC5074C5A97E7FE4DBA1
SHA256:F18D2BD079E297C3AEFC2D2D1226D33B93ED81941153E4D2AED0DEFC861441D6
1932iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\http_404[1]html
MD5:F65C729DC2D457B7A1093813F1253192
SHA256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
1932iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\errorPageStrings[1]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
2276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{EBF24D61-5507-11EA-972D-5254004A04AF}.datbinary
MD5:366554EA4CD256242C41F97BB1A1330B
SHA256:2296BCD339C89387E309143FF0E1DC85E6810B63B7C1148A1EF307DD73B092FB
2276iexplore.exeC:\Users\admin\AppData\Local\Temp\CabD3AF.tmp
MD5:
SHA256:
2276iexplore.exeC:\Users\admin\AppData\Local\Temp\TarD3B0.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
51
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2276
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2652
iexplore.exe
GET
404
31.184.254.193:80
http://nort.calag.at/api1/T_2BIi9cndgE7hj9/Ed79Q_2BzJjbyMT/5plzX7Ns85QmYlPFku/NX5XJM04I/G6n5qJ3AhnpPHudoxMHe/NkJa0cs998WWDT5vwRp/RczzAJmqJaCcUZTykl2Xm8/gpNdfFTHLmg03/eN909NzB/38g_2FUXmbcWGvHKlEhDxHe/PBLSZbfWCw/abmzQWugDNWOHsfh7/hgOr8XjKRH6p/oCjx7toWqHf/s60zHpRHyFK9wg/td7BoeLVy3f11b_2Fgwqu/_2Bap2jx3qvG9w_0/A_0D_2BNkbgjNFb/_2FivPOcpP2MtvMo/bf8
RU
html
123 b
malicious
2276
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2276
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3808
regsvr32.exe
GET
404
31.184.254.193:80
http://ad1.wensa.at/api1/3DRapPOG/JpZ3v3hddFsULqThH7qNy94/TAj_2BNnmQ/6x6JUjYdh5E64MfHG/iOaH792aQeay/XiArnbsH0Dy/gOSLMHFTDO9xBn/5xzBoBqEQt0wBC_2BNyW8/B5VvDiq2VkVjuUsS/BH2fN8EUcYxYj8h/KEMnc8wYu97DXg5t_2/BVvYo2zLv/1l9Ko5nesY375rl5vapw/CQRYUr9Q7teNai3_2FE/k_2FRFe_2FiE98Pt4ZRPIr/dkKiP1TdYPbfe/3X8zc7sa/lhjOTUBj_0A_0DpftQDv_2F/cY_2FFTaU/YE9bpYgFKB_2F/1
RU
html
162 b
whitelisted
3808
regsvr32.exe
GET
404
31.184.254.193:80
http://nort.calag.at/api1/MYFigQ_2FZUPY/i_2Fhzfw/bBrUOX7f6AMVmZkQ8QgnCoc/Kv4VHW_2BS/HJdi2mef_2BkBlV_2/B_2FZbBEXpCB/wSUdsnCp4NU/u3WspHS04SrZj0/gcwENdWf_2BeetSyQ4T8Z/7fanB7jcUVT53qy7/i2J0ncEozZFhAvd/TE8_2FYl7XICcVuEgZ/FP8YymxaU/zglo4VX45jM1x_2B2oXV/7v3rSCHtUMK6T4PHKtE/ZZnEv1Dr0X7PbXzSa3zvzV/3GiNfFFtBqlAv/z6FJIYF2/u_0A_0D8ojt1wYmga5K8rRA/HURFPSp0/ji
RU
html
162 b
malicious
3808
regsvr32.exe
GET
404
31.184.254.193:80
http://nort.calag.at/api1/NF6hU5yPiV2zCw1GRT0x_/2FGscMpHbA0n2ch6/n_2FWIVC8nSWE_2/BM8r4nc51xljjs_2B0/OnzQagyrI/uAftPM6np_2BliKuyEL5/d2qmZ1X0vsXFxNG1BrE/6vvUw28s_2Fwlq1Zmj7sGj/fG7MBmYx_2FN_/2Fny7aDT/kktZX67r_2BLCcG1n4iFLyX/BOnJbigESv/PvKTDFNS_2FVcLzXf/HYcvzLgp_2FH/Lu5YRoo5UO2/ARd1u8zTZ_2FwE/r4W_2BMnxWcWaw84Kzk9Y/Buo9Ai0Rg_0A_0DG/xhu4RZ4chfi_2Bi/T0lk9EidOo/KN
RU
html
162 b
malicious
3808
regsvr32.exe
GET
404
31.184.254.193:80
http://nort.calag.at/api1/i4HQ6g_2B3nY7/k8VDDrir/wFHQIiP11Wl6BgajmsEX6YS/SmXwAx7ZDT/_2BAXqJtF4jw6rDzB/FXNCi4RYUrEQ/_2BR59aJ9zp/O46DJBeyWz0KdD/nGbMQfAX0e8W_2B_2F84_/2FeJxPjy1IyggQo_/2BNmzaTWUqIrbtV/joblWtTkzAUriTVgu0/hrRi3q0EN/nLK4pxlDBeK9yIBphT6i/Mb59LZJRA_2BHLIsdvj/rkwRl3JIGYEThF1S0U7XTl/aPAhwUC1zCbm5/YGBZ_2Fo/a_0A_0Dl24Spg_2FzBXPyBt/cJ18x5PNE2/z9
RU
html
162 b
malicious
3808
regsvr32.exe
GET
404
31.184.254.193:80
http://ad1.wensa.at/api1/eRQb711NqMG7/YjI0_2BbHnR/wd_2F2L7kAwydf/9XsJCBc69ytt8IyBIvTgx/WwAJ2PgXJJFePb0U/x3e0vfXXMQhm8By/ejD16aJ8UPMBlmQHVn/holD7Es5T/ZazCKRcWz5WJpM_2BK0U/5C_2BC8Sl2m1GyTjOsw/OkgRlc1g2o2xx_2Bmxc4UU/EtGu4gU4I1k89/YLQbgJzl/bwb0_2BYZMyip6eRRjuVLl5/K_2FgAgjgP/p46uS9wg2Ds_2B9G1/KmfXv83dIISP/xYCUZQkV_0A/_0DZ3n4xCHlZKd/eIBhtxudvucKar/c
RU
html
162 b
whitelisted
3808
regsvr32.exe
GET
404
31.184.254.193:80
http://ad1.wensa.at/api1/SGTm6O1hVQm/GIx_2B8rNHiZ2J/RiyUYkjPMr35GkMC32zL1/zPvgd0CZD6kne53h/OsP2vBF2ZwCrY_2/BTIRX2XO_2BCPLHXMq/z1Q9ztmfj/2MVmu8E_2FGhyfYovKEW/OYjRSeHIyDFwrlZUdYC/woLUgwOTW5M4ValXTdRhGE/Rg0OVzQIb_2FG/IFeZxqZV/AgR_2FNXqAGCwQfA3L2FqMs/ZfIS1HjIn4/pbdwBsSrTOogumVrv/Pbp1MQUPFbVM/X6eOZJJadZr/Iq9OK_0A_0DZLx/jvnZ_2FuLHoxjjklzhVWG/5uQ2
RU
html
162 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2276
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2276
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2652
iexplore.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious
1544
iexplore.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious
3316
iexplore.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious
3808
regsvr32.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious
1932
iexplore.exe
31.184.254.193:80
ad1.wensa.at
RU
malicious
31.184.254.193:80
ad1.wensa.at
RU
malicious

DNS requests

Domain
IP
Reputation
ad1.wensa.at
  • 31.184.254.193
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
nort.calag.at
  • 31.184.254.193
unknown

Threats

PID
Process
Class
Message
1932
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
1544
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2652
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3316
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3808
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3808
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3808
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3808
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3808
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3808
regsvr32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
78 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
job_presentation_g2s.js