Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DECIDENT.LNK.lnk

Overview

General Information

Sample Name:DECIDENT.LNK.lnk
Analysis ID:795693
MD5:0dcf849c45cbcbcc80f2faf974a2da70
SHA1:fb649af9030286b008898cbb0314f39689323a9e
SHA256:dc8d25b04313db41d710d03a22c60eb79eff2f2c8e36980fb8328de6f62e00af
Tags:IcedIDlnk
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
Machine Learning detection for sample
Sample execution stops while process was sleeping (likely an evasion)
Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 1804 cmdline: "C:\Windows\System32\cmd.exe" /c "SPASTICS\STYRACIN.CMD reg" i Monoeidic X Sortieing MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: DECIDENT.LNK.lnkJoe Sandbox ML: detected
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: classification engineClassification label: mal52.winLNK@2/0@0/1
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "SPASTICS\STYRACIN.CMD reg" i Monoeidic X Sortieing
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Process Injection		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
DECIDENT.LNK.lnk3%ReversingLabs
DECIDENT.LNK.lnk7%VirustotalBrowse
DECIDENT.LNK.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:795693
Start date and time:2023-02-01 07:51:10 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 4s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:DECIDENT.LNK.lnk
Detection:MAL
Classification:mal52.winLNK@2/0@0/1
Cookbook Comments:
  • Found application associated with file extension: .lnk
  • Stop behavior analysis, all processes terminated

Warnings

  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=0, Archive, ctime=Sat Nov 5 07:42:56 2022, mtime=Tue Jan 24 15:42:49 2023, atime=Sat Nov 5 07:42:56 2022, length=289792, window=hidenormalshowminimized
Entropy (8bit):3.236690031941681
TrID:
  • Windows Shortcut (20020/1) 100.00%
File name:DECIDENT.LNK.lnk
File size:1784
MD5:0dcf849c45cbcbcc80f2faf974a2da70
SHA1:fb649af9030286b008898cbb0314f39689323a9e
SHA256:dc8d25b04313db41d710d03a22c60eb79eff2f2c8e36980fb8328de6f62e00af
SHA512:c93120e27e161e82e5fe7d8beee0e8eac9a1ee5eb9d54b49eb04a3f15bccf6c04542648efd2edbff4f83a4106563f24a1957486bd1206a1f571e717a5404d98a
SSDEEP:24:8oWJR/AP97s4yMp5zCxUA6e+/U4I02Gd+dsT+m9l:8p4PtzUCeEIUd+dC+Gl
TLSH:3A31442F67E4471AE1F2467264ABB3118232F811E5274A2B41C0A18ADD20600FD2AB3F
File Content Preview:L..................F.@.. ................0...........l......................5....P.O. .:i.....+00.../C:\...................V.1.....3VUb..Windows.@........OwH8V......(.....................It(.W.i.n.d.o.w.s.....Z.1.....4V.s..System32..B........OwH8V'.......

File Icon

Icon Hash:f4ccccccccc9c9cd

Static Windows Shortcut Info

General

Relative Path:
Command Line Argument:/c "SPASTICS\STYRACIN.CMD reg" i Monoeidic X Sortieing
Icon location:C:\Windows\System32\zipfldr.dll

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:07:52:06
Start date:01/02/2023
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\System32\cmd.exe" /c "SPASTICS\STYRACIN.CMD reg" i Monoeidic X Sortieing
Imagebase:0x7ff632260000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:1
Start time:07:52:06
Start date:01/02/2023
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7c72c0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

No disassembly