Edit tour

Windows Analysis Report
25jan. Required documents.lnk

Overview

General Information

Sample Name:	25jan. Required documents.lnk
Analysis ID:	794650
MD5:	42d501d938b5152accfb8541ccd302a5
SHA1:	476e42f9e316d44fbd4bf2371e2c8b5c0503eab5
SHA256:	1e6c697fe3b106fd43b6d7c96752a3618eaa04765e89bf8bc4b2e7cb8eb5034c
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) contains suspicious command line arguments

Sample execution stops while process was sleeping (likely an evasion)

Uses taskkill to terminate processes

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Classification

Process Tree

System is w10x64_ra

cmd.exe (PID: 6496 cmdline: "C:\Windows\System32\cmd.exe" /c cd project && registry.exe registry.py & taskkill /F /IM cmd.exe MD5: 9D59442313565C2E0860B88BF32B2277)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

taskkill.exe (PID: 6588 cmdline: taskkill /F /IM cmd.exe MD5: 3BBEE3AC757CA54F33710DF8FB9D47A7)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 25jan. Required documents.lnk

Virustotal: Detection: 8%

Perma Link

System Summary

Windows shortcut file (LNK) contains suspicious command line arguments

Source: 25jan. Required documents.lnk

LNK file: /c cd project && registry.exe registry.py & taskkill /F /IM cmd.exe

Source: 25jan. Required documents.lnk

Virustotal: Detection: 8%

Source: classification engine

Classification label: mal60.winLNK@4/0@0/0

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd project && registry.exe registry.py & taskkill /F /IM cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exe	Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: 25jan. Required documents.lnk

LNK file: ..\..\..\Windows\System32\cmd.exe

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe")

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\cmd.exe

Source: C:\Windows\System32\taskkill.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exe

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exe

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
25jan. Required documents.lnk	8%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	794650
Start date and time:	2023-01-30 19:46:32 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	25jan. Required documents.lnk
Detection:	MAL
Classification:	mal60.winLNK@4/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.75, 40.126.31.73, 20.190.159.73, 20.190.159.4, 20.190.159.2, 40.126.31.71, 40.126.31.69, 20.190.159.23
Excluded domains from analysis (whitelisted): prda.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=14, Archive, ctime=Sat Jul 16 12:18:48 2016, mtime=Sat Jul 16 12:18:48 2016, atime=Sat Jul 16 12:18:48 2016, length=232960, window=hide
Entropy (8bit):	4.469401886349938
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	25jan. Required documents.lnk
File size:	1312
MD5:	42d501d938b5152accfb8541ccd302a5
SHA1:	476e42f9e316d44fbd4bf2371e2c8b5c0503eab5
SHA256:	1e6c697fe3b106fd43b6d7c96752a3618eaa04765e89bf8bc4b2e7cb8eb5034c
SHA512:	0ea012f85c749ccbb153766423c88d166eb186725b21ba1be442f3ac7d3290aa3356b80fefceff23dd010dd82e814bbd316f7e7b7a5d43e76c224c4e16f577e8
SSDEEP:	24:8vJ25BdHdaUCMbXUx+/fqiT0x4o0agFDTXD/Fom:80hH5h0OoATXjFo
TLSH:	C821870507FBA319F3B24E76043AE3458FA2F951FD63A72D5254A18C8860F08EC74B17
File Content Preview:	L..................F.... .......d.......d.......d...........................5....P.O. .:i.....+00.../C:\...................V.1...../Urk..Windows.@........H.0/Urk..........................u...W.i.n.d.o.w.s.....Z.1.....)V.>..System32..B........H.0)V.>......

File Icon


Icon Hash:	74f0e4e4e4e9e1ed

Static Windows Shortcut Info

General
Relative Path:	..\..\..\Windows\System32\cmd.exe
Command Line Argument:	/c cd project && registry.exe registry.py & taskkill /F /IM cmd.exe
Icon location:	%SystemRoot%\system32\imageres.dll

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exePID: 6496, Parent PID: 3840

General

Target ID:	0
Start time:	19:47:07
Start date:	30/01/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c cd project && registry.exe registry.py & taskkill /F /IM cmd.exe
Imagebase:	0x7ff7f3020000
File size:	280064 bytes
MD5 hash:	9D59442313565C2E0860B88BF32B2277
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	1
Start time:	19:47:07
Start date:	30/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7603a0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	3
Start time:	19:47:07
Start date:	30/01/2023
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM cmd.exe
Imagebase:	0x7ff6c79d0000
File size:	95744 bytes
MD5 hash:	3BBEE3AC757CA54F33710DF8FB9D47A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 25jan. Required documents.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: cmd.exePID: 6496, Parent PID: 3840

General

Chronological Activities

Analysis Process: conhost.exePID: 6504, Parent PID: 6496

General

Chronological Activities

Analysis Process: taskkill.exePID: 6588, Parent PID: 6496

General

Chronological Activities

Disassembly

Windows Analysis Report
25jan. Required documents.lnk