Windows Analysis Report
pesuti lnk.lnk

Overview

General Information

Sample name: pesuti lnk.lnk
Analysis ID: 1523402
MD5: de14910bd0e6f5944f3fe879957461ff
SHA1: b9dcd5420566504e3b66519474b8a1b40068642b
SHA256: 317ae484d4c4b994ce235ca588e5f22e7fc22b5a68e15a4b9ab10162dcf93016
Tags: 185-244-29-74lnkuser-JAMESWT_MHT
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Source: classification engine Classification label: mal52.winLNK@1/0@0/0
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\aca5887474e22b7be6121c56919953745a7a821311080acbe8970da7ed9479b8.vbs"
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: pesuti lnk.lnk LNK file: ..\..\..\..\..\..\Local\Temp\aca5887474e22b7be6121c56919953745a7a821311080acbe8970da7ed9479b8.vbs
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523402 Sample: pesuti lnk.lnk Startdate: 01/10/2024 Architecture: WINDOWS Score: 52 7 Sigma detected: WScript or CScript Dropper 2->7 9 Sigma detected: Suspicious Script Execution From Temp Folder 2->9 11 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->11 5 wscript.exe 2->5         started        process3
No contacted IP infos