download:

uc

Full analysis: https://app.any.run/tasks/ba0e063f-4318-44d1-80a0-7ab29edbab33
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 21:51:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
dunihi
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

7EBB32D2A02E8CA090B9FFD527549AFC

SHA1:

A365454CD89CAB4513854AD99C87FE7FC91DC197

SHA256:

A2AC417D211E662B4A6FD673D07C7132AFA2D2A16845DB5C184B9D57AFB0F681

SSDEEP:

384:8APfjN7lRGKyczjz6QML5jXhfTOx5F22Rapo450IYXY/d2F8cYvTpN+XoMf:fBKFcz691D1Cx5F2IqoujYXQdCtBXXf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 2940)
      • wscript.exe (PID: 2132)
      • wscript.exe (PID: 1520)

    • Writes to a start menu file

      • WScript.exe (PID: 2940)
      • wscript.exe (PID: 2132)
      • wscript.exe (PID: 1520)

    • Connects to CnC server

      • wscript.exe (PID: 2132)

    • DUNIHI was detected

      • wscript.exe (PID: 2132)

  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 1592)
      • WScript.exe (PID: 2940)
      • wscript.exe (PID: 2132)

    • Creates files in the user directory

      • WScript.exe (PID: 2940)
      • wscript.exe (PID: 1520)

    • Connects to unusual port

      • wscript.exe (PID: 1520)
      • wscript.exe (PID: 2132)

    • Application launched itself

      • WScript.exe (PID: 2940)
      • wscript.exe (PID: 2132)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 23358
UncompressedSize: 57017
OperatingSystem: Win32
ModifyDate: 2019:03:21 10:55:26
PackingMethod: Normal
ArchivedFileName: copia en PDF del ESTADO N? 11 del 21 de marzo del 2019.vbs
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe wscript.exe #DUNIHI wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1520"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1592"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\uc.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2132"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2656"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbs"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2940"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa1592.10953\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
973
Read events
821
Write events
152
Delete events
0

Modification events

(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1592) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\uc.rar
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1592) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@C:\Windows\System32\wshext.dll,-4802
Value:
VBScript Script File
(PID) Process:(2940) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
0
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
1592WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1592.10953\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbstext
MD5:
SHA256:
1520wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hiPtwUXMlP.vbstext
MD5:
SHA256:
2940WScript.exeC:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbstext
MD5:
SHA256:
2132wscript.exeC:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbstext
MD5:
SHA256:
2940WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbstext
MD5:
SHA256:
2940WScript.exeC:\Users\admin\AppData\Local\Temp\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbstext
MD5:
SHA256:
2132wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbstext
MD5:
SHA256:
1520wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
51
DNS requests
2
Threats
82

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2132
wscript.exe
POST
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
malicious
2132
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2132
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2132
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2132
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2132
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2132
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2132
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2132
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2132
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2132
wscript.exe
186.85.86.77:2012
marzo12.duckdns.org
Telmex Colombia S.A.
CO
malicious
1520
wscript.exe
194.5.98.150:7789
brothersjoy.nl
FR
malicious

DNS requests

Domain
IP
Reputation
marzo12.duckdns.org
  • 186.85.86.77
malicious
brothersjoy.nl
  • 194.5.98.150
unknown

Threats

PID
Process
Class
Message
1072
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2132
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
2132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2132
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
2132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2132
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2132
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
No debug info