analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://desop.fi/wp-content/plugins/Swift_Reimbursement_Slip.zip

Full analysis: https://app.any.run/tasks/f1dd01e1-57b5-4aad-a007-f7fb3e67d9f0
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: September 19, 2019, 08:44:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
dunihi
Indicators:
MD5:

54EC7EF9BC0557FABF6DCBC2DCE0659D

SHA1:

CF2B2B7CDB28E3D9A44BFA58ED96315D0B4DC6F0

SHA256:

9864C3E4E988DB9F4D8F8964CEABF88197F1F046484A1B171EB2006387D88719

SSDEEP:

3:N1KaAWZVYAQjcLkSuzRhfU:CazUAscY1Lc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 2340)
      • WScript.exe (PID: 2800)
    • DUNIHI was detected

      • wscript.exe (PID: 3592)
      • wscript.exe (PID: 2784)
    • Changes the autorun value in the registry

      • WScript.exe (PID: 2340)
      • WScript.exe (PID: 2800)
    • Connects to CnC server

      • wscript.exe (PID: 3592)
      • wscript.exe (PID: 2784)
  • SUSPICIOUS

    • Connects to unusual port

      • wscript.exe (PID: 3592)
      • wscript.exe (PID: 2784)
    • Executes scripts

      • WScript.exe (PID: 2340)
      • WinRAR.exe (PID: 4008)
      • WScript.exe (PID: 2800)
    • Creates files in the user directory

      • WScript.exe (PID: 2340)
    • Application launched itself

      • WScript.exe (PID: 2340)
      • WScript.exe (PID: 2800)
  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 2764)
      • iexplore.exe (PID: 3380)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2764)
    • Application launched itself

      • iexplore.exe (PID: 2764)
    • Manual execution by user

      • explorer.exe (PID: 2704)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2764)
      • iexplore.exe (PID: 3380)
    • Changes internet zones settings

      • iexplore.exe (PID: 2764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs explorer.exe no specs wscript.exe #DUNIHI wscript.exe wscript.exe #DUNIHI wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2764"C:\Program Files\Internet Explorer\iexplore.exe" "http://desop.fi/wp-content/plugins/Swift_Reimbursement_Slip.zip"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3380"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2764 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4008"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Swift_Reimbursement_Slip.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2704"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2340"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa4008.23066\Swift_Reimbursement Slip.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3592"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\Swift_Reimbursement Slip.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2800"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa4008.24901\Swift_Reimbursement Slip.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2784"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\Swift_Reimbursement Slip.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
1 824
Read events
1 675
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
13
Unknown types
5

Dropped files

PID
Process
Filename
Type
2764iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2764iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2764iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6EA18B2373CD9369.TMP
MD5:
SHA256:
2764iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFDBAAB2928E5CF6B0.TMP
MD5:
SHA256:
2764iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C3E6CDA1-DAB9-11E9-B86F-5254004A04AF}.dat
MD5:
SHA256:
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WX89IB9D\Swift_Reimbursement_Slip[1].zipcompressed
MD5:30D0A3A62B48A336309EC6C81EC95DC6
SHA256:3EC3CC3B5F75B6CC36BBDE4357465B25FAE5A73AF326C7C7A28F0147DBAF1C17
2764iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{C3E6CDA2-DAB9-11E9-B86F-5254004A04AF}.datbinary
MD5:31D0A0C6A4519F402C72FB6235593CFA
SHA256:D955925D88FDBF1FBCB7CC9FB9D7D096DCD94816F105A0470459584EF1409F07
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:A620176395E2A2B0D85F5BF6BEF4B035
SHA256:151B3392F2195FC70868E46C8908C9B6D9AF637DF703CD9604BA5B5CA1A5C128
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:3515B5C79389732D9D4FFD42E10E720A
SHA256:089BEB4A7A5043CB80605833F081400427D4FBE834E69F1CC7491C1C1E4032FB
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa4008.23066\Swift_Reimbursement Slip.jstext
MD5:917DEACBFA7AC4DC0DEE16FF6BE61272
SHA256:80D6FED40FD076B63B5C790FA799E06205416175C69835BFD2EACF1CBBD8828D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
11
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3592
wscript.exe
POST
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
malicious
3380
iexplore.exe
GET
200
31.187.84.51:80
http://desop.fi/wp-content/plugins/Swift_Reimbursement_Slip.zip
FI
compressed
20.3 Kb
malicious
2784
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3592
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
2764
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3592
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3592
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
3592
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
2784
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
2784
wscript.exe
POST
200
178.124.140.148:3571
http://178.124.140.148:3571/is-ready
BY
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2764
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2784
wscript.exe
178.124.140.148:3571
Republican Unitary Telecommunication Enterprise Beltelecom
BY
malicious
3592
wscript.exe
178.124.140.148:3571
Republican Unitary Telecommunication Enterprise Beltelecom
BY
malicious
3380
iexplore.exe
31.187.84.51:80
desop.fi
Euronic Oy
FI
malicious

DNS requests

Domain
IP
Reputation
desop.fi
  • 31.187.84.51
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
3380
iexplore.exe
Misc activity
ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)
3592
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3592
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3592
wscript.exe
A Network Trojan was detected
AV MALWARE VBS.Dunihi Check-in UA
3592
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
3592
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3592
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3592
wscript.exe
A Network Trojan was detected
AV MALWARE VBS.Dunihi Check-in UA
3592
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
3592
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
No debug info