analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://desop.fi/wp-content/plugins/Swift_Reimbursement_Slip.zip

Full analysis: https://app.any.run/tasks/8ecbe9e1-4932-4e40-b51d-ff24224000ee
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 08:47:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
dunihi
Indicators:
MD5:

54EC7EF9BC0557FABF6DCBC2DCE0659D

SHA1:

CF2B2B7CDB28E3D9A44BFA58ED96315D0B4DC6F0

SHA256:

9864C3E4E988DB9F4D8F8964CEABF88197F1F046484A1B171EB2006387D88719

SSDEEP:

3:N1KaAWZVYAQjcLkSuzRhfU:CazUAscY1Lc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 3152)

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3152)

    • DUNIHI was detected

      • wscript.exe (PID: 3132)

    • Connects to CnC server

      • wscript.exe (PID: 3132)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 3152)
      • notepad++.exe (PID: 3828)

    • Application launched itself

      • WScript.exe (PID: 3152)

    • Executes scripts

      • WScript.exe (PID: 3152)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 4040)
      • iexplore.exe (PID: 3552)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4040)
      • iexplore.exe (PID: 3552)

    • Application launched itself

      • iexplore.exe (PID: 3552)

    • Changes internet zones settings

      • iexplore.exe (PID: 3552)

    • Manual execution by user

      • notepad.exe (PID: 3404)
      • WScript.exe (PID: 3152)
      • notepad++.exe (PID: 3828)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs notepad.exe no specs notepad++.exe gup.exe wscript.exe #DUNIHI wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
3552"C:\Program Files\Internet Explorer\iexplore.exe" "http://desop.fi/wp-content/plugins/Swift_Reimbursement_Slip.zip"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4040"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3552 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2312"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Swift_Reimbursement_Slip.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3404"C:\Windows\system32\notepad.exe" C:\Windows\system32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3828"C:\Program Files\Notepad++\notepad++.exe" C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
3148"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
4294967295
Version:
4.1
3152"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Swift_Reimbursement Slip.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3132"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\Swift_Reimbursement Slip.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
2 205
Read events
1 982
Write events
218
Delete events
5

Modification events

(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{2203580F-DABA-11E9-B86F-5254004A04AF}
Value:
0
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E30709000400130008002F0027005601
Executable files
0
Suspicious files
3
Text files
13
Unknown types
5

Dropped files

PID
Process
Filename
Type
3552iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF3D1762019CE32D9A.TMP
MD5:
SHA256:
3552iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3552iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3552iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF68906A55BE0738FB.TMP
MD5:
SHA256:
3552iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{2203580F-DABA-11E9-B86F-5254004A04AF}.dat
MD5:
SHA256:
2312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2312.39277\Swift_Reimbursement Slip.js
MD5:
SHA256:
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:D69F36F597A09ABD1E1BEDDF1C5EE565
SHA256:6548FF55ACEC9CF6154024B29590E78B23C0DA1A1E6297E6A81FA58D6CA98C5D
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:A65035BDCE097050F506FD8791C29534
SHA256:203280B2033FC7A80B37CB9CADC995019197318704E8B29888BC6B88203FB8FB
3552iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{22035810-DABA-11E9-B86F-5254004A04AF}.datbinary
MD5:16DB9C2FD586EA66E8FE8D63A8BB82B7
SHA256:E324736B61388A39A0CC3A1C6589A2DA814344429910C91A25F077672E712F84
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\X39NT03S\Swift_Reimbursement_Slip[1].zipcompressed
MD5:30D0A3A62B48A336309EC6C81EC95DC6
SHA256:3EC3CC3B5F75B6CC36BBDE4357465B25FAE5A73AF326C7C7A28F0147DBAF1C17
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
28
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
4040
iexplore.exe
GET
200
31.187.84.51:80
http://desop.fi/wp-content/plugins/Swift_Reimbursement_Slip.zip
FI
compressed
20.3 Kb
malicious
3132
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3132
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3132
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3132
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3132
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3132
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3132
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3132
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3552
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4040
iexplore.exe
31.187.84.51:80
desop.fi
Euronic Oy
FI
malicious
3132
wscript.exe
178.124.140.148:3571
Republican Unitary Telecommunication Enterprise Beltelecom
BY
malicious
3148
gup.exe
104.31.89.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared
178.124.140.148:3571
Republican Unitary Telecommunication Enterprise Beltelecom
BY
malicious

DNS requests

Domain
IP
Reputation
desop.fi
  • 31.187.84.51
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
notepad-plus-plus.org
  • 104.31.89.28
  • 104.31.88.28
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3132
wscript.exe
A Network Trojan was detected
AV MALWARE VBS.Dunihi Check-in UA
3132
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
4040
iexplore.exe
Misc activity
ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)
3132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3132
wscript.exe
A Network Trojan was detected
AV MALWARE VBS.Dunihi Check-in UA
3132
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
3132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://desop.fi/wp-content/plugins/Swift_Reimbursement_Slip.zip