Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Archivos.lnk

Overview

General Information

Sample name:Archivos.lnk
Analysis ID:1428351
MD5:f48cfe6ae7cd4014461b54f4f546a300
SHA1:17efd4c79341045fb4e0739f4ad698dad2d2bde8
SHA256:baaf0f3b544c0809f8367e6521a3ed59d2baaad83f112072830dae1779080b99
Tags:lnk
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found WSH timer for Javascript or VBS script (likely evasive script)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7004 cmdline: "C:\WINDOWS\system32\wscript.exe" Dark_Files\Cthulhu.vbs The_call 30000 MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\WINDOWS\system32\wscript.exe" Dark_Files\Cthulhu.vbs The_call 30000, CommandLine: "C:\WINDOWS\system32\wscript.exe" Dark_Files\Cthulhu.vbs The_call 30000, CommandLine|base64offset|contains: Nqe, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\WINDOWS\system32\wscript.exe" Dark_Files\Cthulhu.vbs The_call 30000, ProcessId: 7004, ProcessName: wscript.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Archivos.lnkAvira: detected
Source: classification engineClassification label: mal48.winLNK@1/0@0/0
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\WINDOWS\system32\wscript.exe" Dark_Files\Cthulhu.vbs The_call 30000
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information11
Scripting		Valid AccountsWindows Management Instrumentation11
Scripting		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		Boot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Archivos.lnk11%ReversingLabsShortcut.Trojan.Generic
Archivos.lnk100%AviraLNK/Runner.VPPS

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1428351
Start date and time:2024-04-18 21:14:34 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 45s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Archivos.lnk
Detection:MAL
Classification:mal48.winLNK@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .lnk

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: Archivos.lnk

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:MS Windows shortcut, Item id list present, Has command line arguments, Icon number=3, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Entropy (8bit):3.272973206604132
TrID:
  • Windows Shortcut (20020/1) 100.00%
File name:Archivos.lnk
File size:668 bytes
MD5:f48cfe6ae7cd4014461b54f4f546a300
SHA1:17efd4c79341045fb4e0739f4ad698dad2d2bde8
SHA256:baaf0f3b544c0809f8367e6521a3ed59d2baaad83f112072830dae1779080b99
SHA512:b9f0aef980885409434da4b8341f8a9e733bf1b7d537b0e51996006826972f48ab53f4a2a77d83a27f55713c9548689087b136f10c9be557787de7c759540304
SSDEEP:12:8Y9M0m/VnEXz/nvhsIgqEKw+ilDmIfcq6iNAILY:8YiJtnmnvtDHm4I02Ay
TLSH:F101E5045BDA0610E1728D736DEFE306CAB53893DE939F6E4084828D3464941BDBAE17
File Content Preview:L..................F........................................................A....P.O. .:i.....+00.../C:\...................V.1...........WINDOWS.@.............................................W.I.N.D.O.W.S.....Z.1...........system32..B.....................

File Icon

Icon Hash:30b4b4b464696d0d

Static Windows Shortcut Info

General

Relative Path:
Command Line Argument:Dark_Files\Cthulhu.vbs The_call 30000
Icon location:%SystemRoot%\System32\shell32.dll

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:21:15:22
Start date:18/04/2024
Path:C:\Windows\System32\wscript.exe
Wow64 process (32bit):false
Commandline:"C:\WINDOWS\system32\wscript.exe" Dark_Files\Cthulhu.vbs The_call 30000
Imagebase:0x7ff6c48a0000
File size:170'496 bytes
MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly