analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://drive.google.com/uc?id=1c221X42oW88KuSRdNrrjf6IVbut5Tiig&export=download&authuser=0

Full analysis: https://app.any.run/tasks/0e045b31-82ad-4b45-b6e3-6fc0b6feac9c
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: March 21, 2019, 22:01:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
dunihi
Indicators:
MD5:

E5C8C3BC014B51BCC7E36AC407F62CBD

SHA1:

54D728530D5C041AD7292C003EC59D60F0923FC1

SHA256:

C61F390A52B34F1747EC17919A516972DD1A96923252868A1DDF1AB8FE21B7C2

SSDEEP:

3:N8PMMtZJu2NMu/X6zx+72wR+c1CaIn:2A2H/X6zx+iklMjn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 2064)
      • wscript.exe (PID: 2780)
      • wscript.exe (PID: 3448)
    • Changes the autorun value in the registry

      • WScript.exe (PID: 2064)
      • wscript.exe (PID: 2780)
      • wscript.exe (PID: 3448)
    • DUNIHI was detected

      • wscript.exe (PID: 3448)
    • Connects to CnC server

      • wscript.exe (PID: 3448)
  • SUSPICIOUS

    • Executes scripts

      • WScript.exe (PID: 2064)
      • WinRAR.exe (PID: 4020)
      • wscript.exe (PID: 3448)
    • Creates files in the user directory

      • WScript.exe (PID: 2064)
      • wscript.exe (PID: 2780)
    • Application launched itself

      • WScript.exe (PID: 2064)
      • wscript.exe (PID: 3448)
    • Connects to unusual port

      • wscript.exe (PID: 3448)
      • wscript.exe (PID: 2780)
  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 1276)
    • Application launched itself

      • iexplore.exe (PID: 2376)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2376)
      • iexplore.exe (PID: 1276)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2376)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2376)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2376)
    • Changes internet zones settings

      • iexplore.exe (PID: 2376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs wscript.exe wscript.exe #DUNIHI wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2376"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/uc?id=1c221X42oW88KuSRdNrrjf6IVbut5Tiig&export=download&authuser=0C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1276"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2376 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4020"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HFAONZX0\ARCHIVO_DEL_EMBARGO_PENDIENTE_POR_SER_EJECUTADO_EN_LA_CUENTA_QUE_SE_ENCUENTRA_A_SU_NOMBRE[1].rar"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2064"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa4020.24835\ARCHIVO DEL EMBARGO PENDIENTE POR SER EJECUTADO EN LA CUENTA QUE SE ENCUENTRA A SU NOMBRE.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2780"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3448"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\ARCHIVO DEL EMBARGO PENDIENTE POR SER EJECUTADO EN LA CUENTA QUE SE ENCUENTRA A SU NOMBRE.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2052"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbs"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Total events
1 609
Read events
1 416
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
18
Unknown types
5

Dropped files

PID
Process
Filename
Type
1276iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFFE6D8183D253132C.TMP
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF38DCDF548D48E398.TMP
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F7660909-4C24-11E9-A302-5254004A04AF}.dat
MD5:
SHA256:
1276iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[2].txttext
MD5:9E875795296D41A66568A457DC896FB5
SHA256:CAD184D026CE8607E9E784A376B6973E411030FEBB424A85EAB634CB25B0A372
1276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:4D1FD4A2B262EAAAD7FDE09A7282E188
SHA256:72C48280BB0762FD3CE0767192288CAF03BAC4CE1E1717E02CD4FE40798CDC1D
2064WScript.exeC:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbstext
MD5:263C3F70EA71860CAEB502ED9614DE92
SHA256:DEC8AF07250D4C8D7FDA51EBF825EF282225F946CEC113BDD4E98F313DAF1CB7
1276iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:C4C6BFFE10BEB54C455B5E7CB3DE159A
SHA256:AD7E603D21530C407A5DB821249620ECAD119ACE8D958D687FA31D89A4D05367
1276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HFAONZX0\ARCHIVO_DEL_EMBARGO_PENDIENTE_POR_SER_EJECUTADO_EN_LA_CUENTA_QUE_SE_ENCUENTRA_A_SU_NOMBRE[1].rarcompressed
MD5:A883521A8CC2569246121D444DAEF83D
SHA256:4C23841D645F45EB5E680AE1DEEAA2B4DC577E3C1809A238C9A9CA3EFF32D1A8
1276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019032120190322\index.datdat
MD5:5B5BF6FEB7345DBEEC2FC7AAA6113499
SHA256:38CCA55470FC983C902E4E26E9E6C82774BB63E6BD3010FEA37317299B17EE28
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
35
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
3448
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1276
iexplore.exe
172.217.22.110:443
drive.google.com
Google Inc.
US
whitelisted
2376
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1276
iexplore.exe
172.217.21.193:443
doc-10-3s-docs.googleusercontent.com
Google Inc.
US
whitelisted
2780
wscript.exe
194.5.98.150:7789
brothersjoy.nl
FR
malicious
3448
wscript.exe
186.85.86.77:2012
marzo12.duckdns.org
Telmex Colombia S.A.
CO
malicious

DNS requests

Domain
IP
Reputation
drive.google.com
  • 172.217.22.110
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
doc-10-3s-docs.googleusercontent.com
  • 172.217.21.193
shared
brothersjoy.nl
  • 194.5.98.150
unknown
marzo12.duckdns.org
  • 186.85.86.77
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3448
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3448
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3448
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
3448
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3448
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3448
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
3448
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3448
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3448
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
No debug info