Windows Analysis Report
DECIDENT.LNK.lnk

Overview

General Information

Sample Name: DECIDENT.LNK.lnk
Analysis ID: 795693
MD5: 0dcf849c45cbcbcc80f2faf974a2da70
SHA1: fb649af9030286b008898cbb0314f39689323a9e
SHA256: dc8d25b04313db41d710d03a22c60eb79eff2f2c8e36980fb8328de6f62e00af
Tags: IcedIDlnk
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
Machine Learning detection for sample
Sample execution stops while process was sleeping (likely an evasion)
Program does not show much activity (idle)

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: DECIDENT.LNK.lnk Joe Sandbox ML: detected
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: classification engine Classification label: mal52.winLNK@2/0@0/1
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "SPASTICS\STYRACIN.CMD reg" i Monoeidic X Sortieing
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 795693 Sample: DECIDENT.LNK.lnk Startdate: 01/02/2023 Architecture: WINDOWS Score: 52 13 Windows shortcut file (LNK) starts blacklisted processes 2->13 15 Machine Learning detection for sample 2->15 6 cmd.exe 1 2->6         started        process3 process4 8 conhost.exe 1 6->8         started        dnsIp5 11 192.168.2.1 unknown unknown 8->11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1