Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'IMG-0371e4dce3c8804f1543c3f0f309cc11.jpg.lnkrawtrue'

malicious

Threat Score: 85/100 AV Detection: 25% Labeled as: BZC.YAX.Nioc.1.Generic

IMG-0371e4dce3c8804f1543c3f0f309cc11.jpg.lnkrawtrue

This report is generated from a file or URL submitted to this webservice on June 4th 2019 21:12:50 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v8.30 © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples Request Report Deletion

Incident Response

Risk Assessment

Fingerprint: Reads the cryptographic machine GUID

MITRE ATT&CK™ Techniques Detection

This report has 11 indicators that were mapped to 4 attack techniques and 3 tactics. View all details

Persistence
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1215	Kernel Modules and Extensions	Persistence	Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Learn more			Opens the Kernel Security Device Driver (KsecDD) of Windows
Defense Evasion
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1112	Modify Registry	Defense Evasion	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in [[Persistence]] and [[Execution]]. Learn more		Modifies proxy settings	Creates or modifies windows services
Discovery
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1120	Peripheral Device Discovery	Discovery	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Learn more			Queries volume information
T1012	Query Registry	Discovery	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. Learn more		Reads the cryptographic machine GUID	Reads information about supported languages Reads the active computer name Reads the registry for installed applications Queries sensitive IE security settings Queries the internet cache settings (often used to hide footprints in index.dat or internet cache) Monitors specific registry key for changes

Additional Context

Related Sandbox Artifacts

Associated URLs: hxxps://github.com/btechim/prntsrcn/blob/nm46ny/IMG-0371e4dce3c8804f1543c3f0f309cc11.jpg.lnk?raw=true

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 3
External Systems
- Sample was identified as malicious by a large number of Antivirus engines
  
  details
  
  13/60 Antivirus vendors marked sample as malicious (21% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  13/60 Antivirus vendors marked sample as malicious (21% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 3
Environment Awareness
- Reads the cryptographic machine GUID
  
  details
  
  "mshta.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)
System Security
- Modifies proxy settings
  
  details
  
  "mshta.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "mshta.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "mshta.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
  "mshta.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
  "mshta.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1112 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
- Checks for a resource fork (ADS) file
  
  details
  
  "mshta.exe" checked file "C:"
  
  source
  
  API Call
  
  relevance
  
  5/10

Informative 15
Anti-Detection/Stealthyness
- Queries kernel debugger information
  
  details
  
  "mshta.exe" at 00017231-00001692-00000105-6484732539
  
  source
  
  API Call
  
  relevance
  
  6/10
- Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
  
  details
  
  "mshta.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)
Environment Awareness
- Queries volume information
  
  details
  
  "mshta.exe" queries volume information of "%WINDIR%\Fonts\times.ttf" at 00017231-00001692-0000010C-12244135904
  
  source
  
  API Call
  
  relevance
  
  2/10
  
  ATT&CK ID
  
  T1120 (Show technique in the MITRE ATT&CK™ matrix)
- Reads the active computer name
  
  details
  
  "mshta.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
  
  source
  
  Registry Access
  
  relevance
  
  5/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)
- Reads the registry for installed applications
  
  details
  
  "mshta.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE")
  "mshta.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE"; Key: "PATH"; Value: "00000000010000005800000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C000000")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)
General
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\!IECompat!Mutex"
  "Local\ZonesCacheCounterMutex"
  "Local\ZonesLockedCacheCounterMutex"
  "!IECompat!Mutex"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Overview of unique CLSIDs touched in registry
  
  details
  
  "mshta.exe" touched "HTML Document" (Path: "HKCU\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\INPROCSERVER32")
  "mshta.exe" touched "Microsoft HTA Document 6.0" (Path: "HKCU\CLSID\{3050F5C8-98B5-11CF-BB82-00AA00BDCE0B}")
  "mshta.exe" touched "Microsoft HTML About Pluggable Protocol" (Path: "HKCU\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}")
  "mshta.exe" touched "Browser Application State" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}")
  "mshta.exe" touched "CActiveIMMAppEx_Trident" (Path: "HKCU\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\TREATAS")
  "mshta.exe" touched "PSOAInterface" (Path: "HKCU\CLSID\{00020424-0000-0000-C000-000000000046}\TREATAS")
  "mshta.exe" touched "NetworkListManager" (Path: "HKCU\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\TREATAS")
  "mshta.exe" touched "Network List Manager" (Path: "HKCU\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\TREATAS")
  "mshta.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\TREATAS")
  "mshta.exe" touched "WinInetBroker Class" (Path: "HKCU\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TREATAS")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
Installation/Persistance
- Connects to LPC ports
  
  details
  
  "mshta.exe" connecting to "\ThemeApiPort"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Monitors specific registry key for changes
  
  details
  
  "mshta.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0)
  "mshta.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0)
  "mshta.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4; Subtree: 0)
  
  source
  
  API Call
  
  relevance
  
  4/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)
- Touches files in the Windows directory
  
  details
  
  "mshta.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
  "mshta.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
  "mshta.exe" touched file "C:\Windows\System32\rsaenh.dll"
  "mshta.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
  "mshta.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
  "mshta.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
  "mshta.exe" touched file "C:\Windows\System32\oleaccrc.dll"
  "mshta.exe" touched file "C:\Windows\System32\mshta.exe"
  "mshta.exe" touched file "C:\Windows\Fonts\times.ttf"
  "mshta.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
  "mshta.exe" touched file "C:\Windows\System32\en-US\mshta.exe.mui"
  "mshta.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
  "mshta.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
  "mshta.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files"
  "mshta.exe" touched file "%APPDATA%\Microsoft\Windows\Cookies"
  "mshta.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\History"
  
  source
  
  API Call
  
  relevance
  
  7/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Pattern match: "http://ns.adobe.com/xap/1.0/"
  Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
  Pattern match: "https://bcorp.fun/1/f.hta"
  
  source
  
  String
  
  relevance
  
  10/10
System Security
- Creates or modifies windows services
  
  details
  
  "mshta.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1112 (Show technique in the MITRE ATT&CK™ matrix)
- Opens the Kernel Security Device Driver (KsecDD) of Windows
  
  details
  
  "mshta.exe" opened "\Device\KsecDD"
  
  source
  
  API Call
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1215 (Show technique in the MITRE ATT&CK™ matrix)
- Queries sensitive IE security settings
  
  details
  
  "mshta.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
  
  source
  
  Registry Access
  
  relevance
  
  8/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
- Reads information about supported languages
  
  details
  
  "mshta.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)

File Details

All Details:

IMG-0371e4dce3c8804f1543c3f0f309cc11.jpg.lnkrawtrue

Filename: IMG-0371e4dce3c8804f1543c3f0f309cc11.jpg.lnkrawtrue
Size: 180KiB (184376 bytes)
Type: lnk
Description: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=67, Archive, ctime=Wed May 1 08:04:59 2019, mtime=Wed May 1 08:04:59 2019, atime=Mon Jan 1 01:39:55 2018, length=14848, window=hide
Architecture
: WINDOWS
SHA256
: 9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6
MD5
: 348e264671c70c26d644d8c4254a45c6
SHA1
: f8caebccafff15d454a5e62c56704df60a996667
ssdeep
: 3072:0KMKiNX5t06jzYuCwgHBaKMKiNX5t06jzYuCwgHB6:yjJ566wuzgHKjJ566wuzgHc

Resources

Icon

Visualization

Input File (PortEx)

Classification (TrID)

100.0% (.LNK) Windows Shortcut

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 1 process in total (System Resource Monitor).

mshta.exe https://bcorp.fun/1/f.hta (PID: 1692)

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

No relevant hosts were contacted.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Strings

Download All Memory Strings (2.9KiB)

%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

%SystemRoot%\System32\imageres.dll

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

' id='W5M0MpCehiHzreSzNTczkc9d'?><x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="http://ns.adobe.com/xap/1.0/"><xmp:CreatorTool>Microsoft Windows Photo Viewer 10.0.17134.1</xmp:CreatorTool></rdf:Description></rdf:RDF></x:xmpmeta>

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

+Microsoft Windows Photo Viewer 10.0.17134.1

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

,,.__.,,

Ansi based on Image Processing (screen_2.png)

.k~8}+UI^_

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

00000409

Unicode based on Runtime Data (mshta.exe )

00060101.00060101

Unicode based on Runtime Data (mshta.exe )

0_,,___,__

Ansi based on Image Processing (screen_2.png)

0____________.

Ansi based on Image Processing (screen_3.png)

2018:07:05 16:33:51

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

60CB6C89

Unicode based on Runtime Data (mshta.exe )

9acspAPPL

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

<?xpacket begin='

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

<?xpacket end='w'?>

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (mshta.exe )

\ThemeApiPort

Unicode based on Runtime Data (mshta.exe )

_''__,,__i_i

Ansi based on Image Processing (screen_3.png)

_,l_,

Ansi based on Image Processing (screen_3.png)

_;,?,___,gq,,g__

Ansi based on Image Processing (screen_0.png)

_??_____?___,____g

Ansi based on Image Processing (screen_0.png)

__0__

Ansi based on Image Processing (screen_0.png)

___..__0__''il__,,

Ansi based on Image Processing (screen_3.png)

_____

Ansi based on Image Processing (screen_3.png)

AcceptLanguage

Unicode based on Runtime Data (mshta.exe )

AddressFamily

Unicode based on Runtime Data (mshta.exe )

AdminTabProcs

Unicode based on Runtime Data (mshta.exe )

AhlALY6l6

Ansi based on Image Processing (screen_0.png)

Allow Programmatic Cut_Copy_Paste

Unicode based on Runtime Data (mshta.exe )

AllowOnlyDNSQueryForWPAD

Unicode based on Runtime Data (mshta.exe )

Always Use My Colors

Unicode based on Runtime Data (mshta.exe )

Always Use My Font Face

Unicode based on Runtime Data (mshta.exe )

Always Use My Font Size

Unicode based on Runtime Data (mshta.exe )

AlwaysDrainOnRedirect

Unicode based on Runtime Data (mshta.exe )

Anchor Color

Unicode based on Runtime Data (mshta.exe )

Anchor Color Hover

Unicode based on Runtime Data (mshta.exe )

Anchor Color Visited

Unicode based on Runtime Data (mshta.exe )

Anchor Underline

Unicode based on Runtime Data (mshta.exe )

AppData

Unicode based on Runtime Data (mshta.exe )

Attributes

Unicode based on Runtime Data (mshta.exe )

AutoConfigURL

Unicode based on Runtime Data (mshta.exe )

AutoDetect

Unicode based on Runtime Data (mshta.exe )

AutoProxyDetectType

Unicode based on Runtime Data (mshta.exe )

BadProxyExpiresTime

Unicode based on Runtime Data (mshta.exe )

bFBMD01000aa5030000201f00004b370000c13800001a3a00003d410000a5640000cf6c0000f66f0000a273000025bf0000

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

BreakOnInitializeProcessFailure

Unicode based on Runtime Data (mshta.exe )

BreakOnRecursiveDllLoads

Unicode based on Runtime Data (mshta.exe )

BypassHTTPNoCacheCheck

Unicode based on Runtime Data (mshta.exe )

BypassSSLNoCacheCheck

Unicode based on Runtime Data (mshta.exe )

%WINDIR%\System32\mshta.exe

Ansi based on Memory/File Scan (9f1f04db605ba35a97c1a0554c1932f5848c9bb7a4cb915cde670b0bb26dc7b6.bin)

Cache

Unicode based on Runtime Data (mshta.exe )

CacheLimit

Unicode based on Runtime Data (mshta.exe )

CacheMode

Unicode based on Runtime Data (mshta.exe )

CachePrefix

Unicode based on Runtime Data (mshta.exe )

Extracted Files

No significant files were extracted.

Notifications

Runtime 0

Community

There are no community comments.

You must be logged in to submit a comment.

IMG-0371e4dce3c8804f1543c3f0f309cc11.jpg.lnkrawtrue

Incident Response

Risk Assessment

MITRE ATT&CK™ Techniques Detection

Additional Context

Related Sandbox Artifacts

Indicators

Malicious Indicators 3

Suspicious Indicators 3

Informative 15

File Details

IMG-0371e4dce3c8804f1543c3f0f309cc11.jpg.lnkrawtrue

Resources

Visualization

Classification (TrID)

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

HTTP Traffic

Extracted Strings

Extracted Files

Notifications

Runtime 0

Community

Vetting required

Request Report Deletion

Link