Windows Analysis Report
25jan. Required documents.lnk

Overview

General Information

Sample Name: 25jan. Required documents.lnk
Analysis ID: 794650
MD5: 42d501d938b5152accfb8541ccd302a5
SHA1: 476e42f9e316d44fbd4bf2371e2c8b5c0503eab5
SHA256: 1e6c697fe3b106fd43b6d7c96752a3618eaa04765e89bf8bc4b2e7cb8eb5034c
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) contains suspicious command line arguments
Sample execution stops while process was sleeping (likely an evasion)
Uses taskkill to terminate processes
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 25jan. Required documents.lnk Virustotal: Detection: 8% Perma Link

System Summary
barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: 25jan. Required documents.lnk LNK file: /c cd project && registry.exe registry.py & taskkill /F /IM cmd.exe
Source: 25jan. Required documents.lnk Virustotal: Detection: 8%
Source: classification engine Classification label: mal60.winLNK@4/0@0/0
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd project && registry.exe registry.py & taskkill /F /IM cmd.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: 25jan. Required documents.lnk LNK file: ..\..\..\Windows\System32\cmd.exe
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe")

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Enables debug privileges
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exe Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 794650 Sample: 25jan. Required documents.lnk Startdate: 30/01/2023 Architecture: WINDOWS Score: 60 12 Windows shortcut file (LNK) starts blacklisted processes 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Windows shortcut file (LNK) contains suspicious command line arguments 2->16 6 cmd.exe 1 2->6         started        process3 process4 8 taskkill.exe 1 6->8         started        10 conhost.exe 1 6->10         started       
No contacted IP infos