Windows Analysis Report
MSAssist.lnk

Overview

General Information

Sample Name: MSAssist.lnk
Analysis ID: 796588
MD5: 483e3e0b1dceb4a5a13de65d3556c3fe
SHA1: e8b0785e58fd864c16fe4a58ee734d0fc93702e5
SHA256: b7533ae3057764c8734ebdea13e766eaa92ad38f7ab41bb267b9b44a550e1507
Tags: lnk
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected malicious lnk
Snort IDS alert for network traffic
Found URL in windows shortcut file (LNK)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
JA3 SSL client fingerprint seen in connection with other malware
Connects to a URL shortener service
IP address seen in connection with other malware

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: MSAssist.lnk ReversingLabs: Detection: 56%
Source: MSAssist.lnk Virustotal: Detection: 50% Perma Link
Antivirus detection for URL or domain
Source: https://page.googledocpage.com/ Avira URL Cloud: Label: malware
Source: https://page.googledocpage.com/WiU Avira URL Cloud: Label: malware
Source: https://page.googledocpage.com/I Avira URL Cloud: Label: malware
Source: https://page.googledocpage.com/z Avira URL Cloud: Label: malware
Source: https://page.googledocpage.com/U Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: page.googledocpage.com Virustotal: Detection: 12% Perma Link
Source: https://page.googledocpage.com/ Virustotal: Detection: 12% Perma Link
Source: unknown HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.3:49696 version: TLS 1.2

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2033450 ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (page .googledocpage .com) 192.168.2.3:61787 -> 8.8.8.8:53
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /35FlWc2 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bit.lyConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Connects to a URL shortener service
Source: C:\Windows\System32\mshta.exe DNS query: name: bit.ly
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.199.248.10 67.199.248.10
Source: Joe Sandbox View IP Address: 67.199.248.10 67.199.248.10
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bit.ly/
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66C017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFB0000.00000004.00000020.00020000.00000000.sdmp, MSAssist.lnk String found in binary or memory: https://bit.ly/35FlWc2
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bit.ly/35FlWc2...
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bit.ly/35FlWc2B
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bit.ly/35FlWc2C:
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bit.ly/35FlWc2S
Source: mshta.exe, 00000000.00000002.524417090.000001D66C1B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bit.ly/35FlWc2aHOMEDRIVE
Source: mshta.exe, 00000000.00000002.524050952.000001D66BFC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bit.ly/35FlWc2r
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bit.ly/r3
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://page.googledocpage.com/
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://page.googledocpage.com/I
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://page.googledocpage.com/U
Source: mshta.exe, 00000000.00000003.257329635.000001DE6E1B4000.00000004.00000020.00020000.00000000.sdmp, 35FlWc2[1].htm.0.dr String found in binary or memory: https://page.googledocpage.com/WiU
Source: mshta.exe, 00000000.00000002.524712330.000001DE6E170000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://page.googledocpage.com/z
Source: unknown DNS traffic detected: queries for: bit.ly
Source: global traffic HTTP traffic detected: GET /35FlWc2 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bit.lyConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.3:49696 version: TLS 1.2

System Summary
barindex
Yara detected malicious lnk
Source: Yara match File source: MSAssist.lnk, type: SAMPLE
Found URL in windows shortcut file (LNK)
Source: Initial file Strings: https://bit.ly/35FlWc2%wN
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: MSAssist.lnk ReversingLabs: Detection: 56%
Source: MSAssist.lnk Virustotal: Detection: 50%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: MSAssist.lnk LNK file: ..\..\..\..\..\WINDOWS\system32\mshta.exe
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4 Jump to behavior
Source: classification engine Classification label: mal84.rans.troj.winLNK@1/1@2/1
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: mshta.exe, 00000000.00000002.524050952.000001D66C017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66BFE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.524050952.000001D66C090000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 796588 Sample: MSAssist.lnk Startdate: 02/02/2023 Architecture: WINDOWS Score: 84 12 Snort IDS alert for network traffic 2->12 14 Multi AV Scanner detection for domain / URL 2->14 16 Antivirus detection for URL or domain 2->16 18 3 other signatures 2->18 5 mshta.exe 16 2->5         started        process3 dnsIp4 8 bit.ly 67.199.248.10, 443, 49696 GOOGLE-PRIVATE-CLOUDUS United States 5->8 10 page.googledocpage.com 5->10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.199.248.10
 bit.ly United States
396982 GOOGLE-PRIVATE-CLOUDUS false

Contacted Domains

Name IP Active
bit.ly 67.199.248.10 true
page.googledocpage.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bit.ly/35FlWc2 false
    		high