Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
USB DISK.lnk

Overview

General Information

Sample Name:USB DISK.lnk
Analysis ID:659986
MD5:c78e81cc700617124974b7d22e4ba00c
SHA1:8448ecfa3b175a277f9b4938610bc0f6b201eb96
SHA256:c708cad33342728e48fe6a046b44e4c302fd5965c96b838f3c7bbcefef91dcb6
Tags:lnk
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
Machine Learning detection for sample
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5220 cmdline: "C:\Windows\System32\cmd.exe" /rtyPE fn.icO|cmD MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2364 cmdline: C:\Windows\system32\cmd.exe /S /D /c" tyPE fn.icO" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • cmd.exe (PID: 5576 cmdline: cmD MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: USB DISK.lnkJoe Sandbox ML: detected
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: classification engineClassification label: mal52.winLNK@6/0@0/0
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /rtyPE fn.icO|cmD
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" tyPE fn.icO"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmD
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" tyPE fn.icO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmDJump to behavior

Persistence and Installation Behavior

barindex
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" tyPE fn.icO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmDJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception11
Process Injection		11
Process Injection		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 659986 Sample: USB DISK.lnk Startdate: 08/07/2022 Architecture: WINDOWS Score: 52 15 Windows shortcut file (LNK) starts blacklisted processes 2->15 17 Machine Learning detection for sample 2->17 6 cmd.exe 1 2->6         started        process3 signatures4 19 Windows shortcut file (LNK) starts blacklisted processes 6->19 9 conhost.exe 1 6->9         started        11 cmd.exe 1 6->11         started        13 cmd.exe 1 6->13         started        process5

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
USB DISK.lnk5%VirustotalBrowse
USB DISK.lnk8%ReversingLabsWin32.Trojan.GenAutorunLnkFile
USB DISK.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:35.0.0 Citrine
Analysis ID:659986
Start date and time: 08/07/202219:42:512022-07-08 19:42:51 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 26s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:USB DISK.lnk
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.winLNK@6/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .lnk
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): backgroundTaskHost.exe
  • Excluded IPs from analysis (whitelisted): 20.82.210.154
  • Excluded domains from analysis (whitelisted): www.bing.com, store-images.s-microsoft.com, arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=79, Archive, ctime=Wed Jan 13 19:12:30 2021, mtime=Thu Jul 7 12:10:26 2022, atime=Wed Jan 13 19:12:30 2021, length=236544, window=hidenormalshowminimized
Entropy (8bit):4.805721511625944
TrID:
  • Windows Shortcut (20020/1) 100.00%
File name:USB DISK.lnk
File size:922
MD5:c78e81cc700617124974b7d22e4ba00c
SHA1:8448ecfa3b175a277f9b4938610bc0f6b201eb96
SHA256:c708cad33342728e48fe6a046b44e4c302fd5965c96b838f3c7bbcefef91dcb6
SHA512:fed62ffbd1896d3cefe20977e1b9884edaa36bfa6a96501c62054a1d1788c6f79e098a29f42c9682e31ae494c5cca8d894add5b2ff5d3e2318e3c0881629b8c4
SSDEEP:12:8bBkAMm0m/QMlZnVSXlZlM4x0j2JBzto0q6iNQ0h/3YJoq8DmUj1S:8bVMmJ4wJaFg2JBzto02Q0hvLRm41
TLSH:BD11D0121EC60B66C1758E37D86A7325D572BC42FF439E2500C0A1489942047F4BBF3E
File Content Preview:L..................F.... ....g.k............ht.k........O...................5....P.O. .:i.....+00.../C:\...................V.1......Tn...Windows.@........OwH.T7.....k6....B.................*.W.i.n.d.o.w.s.....Z.1......T.j..System32..B........OwH.TY......>

File Icon

Icon Hash:00608460e099f53d

Static Windows Shortcut Info

General

Relative Path:
Command Line Argument:/rtyPE fn.icO|cmD
Icon location:%systemroot%\system32\shell32.dll

Network Behavior

No network behavior found

Statistics

CPU Usage

051015s020406080100

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:19:44:07
Start date:08/07/2022
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\System32\cmd.exe" /rtyPE fn.icO|cmD
Imagebase:0x7ff7bb450000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:1
Start time:19:44:07
Start date:08/07/2022
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff647620000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:2
Start time:19:44:08
Start date:08/07/2022
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /S /D /c" tyPE fn.icO"
Imagebase:0x7ff7bb450000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:3
Start time:19:44:08
Start date:08/07/2022
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmD
Imagebase:0x7ff7bb450000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly