Summary

23eea7f017eac75c_nqndyy.lnk

File 23eea7f017eac75c_nqndyy.lnk

Summary
Download Resubmit sample

Size 1.1KB
Type MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Dec 11 02:16:09 2024, mtime=Wed Dec 11 02:16:09 2024, atime=Tue Jun 16 01:08:53 2020, length=829698, window=hide
MD5 893fc8bd5272c3af11e562ea02e1903e
SHA1 c2ad92c4c128b08669c4d27be9e28024e2df6e69
SHA256 23eea7f017eac75c1a43278825d207c8df45734f6076a086fcd032b7f8e003bc
SHA512
71c2ee50bd48d3f7d0cb916e009dd733971fce09c2eb220b2c4ee6fd70f2af7ebd183e5e6bd076fa71eb4683dff87699f5fc4e0250946c32e64c07f15dc02134
CRC32 F33546BE
ssdeep None
Yara
  • LnkHeader - (no description)

Score

This file shows numerous signs of malicious behavior.

The score of this file is 3.6 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:5653291

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Dec. 14, 2024, 5 p.m. Dec. 14, 2024, 5:05 p.m. 279 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2024-12-11 11:06:21,030 [analyzer] DEBUG: Starting analyzer from: C:\tmpl4240h
2024-12-11 11:06:21,046 [analyzer] DEBUG: Pipe server name: \??\PIPE\cyPSWImJimFKIQCDaZGUVqoRjAd
2024-12-11 11:06:21,046 [analyzer] DEBUG: Log pipe server name: \??\PIPE\wmAznPmDPaoAcHnizVbLrSAc
2024-12-11 11:06:21,046 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2024-12-11 11:06:21,046 [analyzer] INFO: Automatically selected analysis package "lnk"
2024-12-11 11:06:21,405 [analyzer] DEBUG: Started auxiliary module Curtain
2024-12-11 11:06:21,405 [analyzer] DEBUG: Started auxiliary module DbgView
2024-12-11 11:06:21,828 [analyzer] DEBUG: Started auxiliary module Disguise
2024-12-11 11:06:22,046 [analyzer] DEBUG: Loaded monitor into process with pid 508
2024-12-11 11:06:22,046 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2024-12-11 11:06:22,046 [analyzer] DEBUG: Started auxiliary module Human
2024-12-11 11:06:22,046 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2024-12-11 11:06:22,046 [analyzer] DEBUG: Started auxiliary module Reboot
2024-12-11 11:06:22,155 [analyzer] DEBUG: Started auxiliary module RecentFiles
2024-12-11 11:06:22,155 [analyzer] DEBUG: Started auxiliary module Screenshots
2024-12-11 11:06:22,155 [analyzer] DEBUG: Started auxiliary module Sysmon
2024-12-11 11:06:22,155 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2024-12-11 11:06:22,233 [lib.api.process] INFO: Successfully executed process from path 'C:\\Windows\\System32\\cmd.exe' with arguments ['/c', 'start', '/wait', '"jDiCdlTeuVkK"', u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\23eea7f017eac75c_nqndyy.lnk'] and pid 2464
2024-12-11 11:06:22,483 [analyzer] DEBUG: Loaded monitor into process with pid 2464
2024-12-11 11:06:22,812 [analyzer] CRITICAL: Error creating function stub for advapi32!ControlService.
2024-12-11 11:06:22,842 [analyzer] CRITICAL: Unable to change memory protection of advapi32!DeleteService at 0x09f498 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,858 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerA at 0x09f336 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,858 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerW at 0x09f4a8 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,875 [analyzer] CRITICAL: Error creating function stub for advapi32!OpenServiceA.
2024-12-11 11:06:22,875 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceW at 0x09f488 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,875 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegCloseKey at 0x09f6b4 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,890 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueA at 0x09f5ee 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,890 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueW at 0x09f5dc 10 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,921 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceCtrlDispatcherW at 0x09f276 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,921 [analyzer] CRITICAL: Error creating function stub for advapi32!StartServiceW.
2024-12-11 11:06:22,953 [analyzer] CRITICAL: Error creating function stub for advapi32!ControlService.
2024-12-11 11:06:22,953 [analyzer] CRITICAL: Unable to change memory protection of advapi32!DeleteService at 0x09f498 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,953 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerA at 0x09f336 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerW at 0x09f4a8 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,967 [analyzer] CRITICAL: Error creating function stub for advapi32!OpenServiceA.
2024-12-11 11:06:22,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceW at 0x09f488 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegCloseKey at 0x09f6b4 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueA at 0x09f5ee 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueW at 0x09f5dc 10 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,983 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceCtrlDispatcherW at 0x09f276 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:22,983 [analyzer] CRITICAL: Error creating function stub for advapi32!StartServiceW.
2024-12-11 11:06:23,405 [analyzer] CRITICAL: Error creating function stub for advapi32!ControlService.
2024-12-11 11:06:23,405 [analyzer] CRITICAL: Unable to change memory protection of advapi32!DeleteService at 0x09f498 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,405 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerA at 0x09f336 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,405 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerW at 0x09f4a8 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,405 [analyzer] CRITICAL: Error creating function stub for advapi32!OpenServiceA.
2024-12-11 11:06:23,405 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceW at 0x09f488 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,421 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegCloseKey at 0x09f6b4 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,421 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueA at 0x09f5ee 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,421 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueW at 0x09f5dc 10 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,421 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceCtrlDispatcherW at 0x09f276 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,421 [analyzer] CRITICAL: Error creating function stub for advapi32!StartServiceW.
2024-12-11 11:06:23,530 [analyzer] CRITICAL: Error creating function stub for advapi32!ControlService.
2024-12-11 11:06:23,530 [analyzer] CRITICAL: Unable to change memory protection of advapi32!DeleteService at 0x09f498 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,530 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerA at 0x09f336 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,530 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerW at 0x09f4a8 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,530 [analyzer] CRITICAL: Error creating function stub for advapi32!OpenServiceA.
2024-12-11 11:06:23,546 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceW at 0x09f488 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,546 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegCloseKey at 0x09f6b4 5 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,546 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueA at 0x09f5ee 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,546 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueW at 0x09f5dc 10 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,546 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceCtrlDispatcherW at 0x09f276 6 to RWX (error code 0xc0000045)!
2024-12-11 11:06:23,562 [analyzer] CRITICAL: Error creating function stub for advapi32!StartServiceW.
2024-12-11 11:06:59,233 [analyzer] INFO: Process with pid 2464 has terminated
2024-12-11 11:06:59,233 [analyzer] INFO: Process list is empty, terminating analysis.
2024-12-11 11:07:00,687 [analyzer] INFO: Terminating remaining processes before shutdown.
2024-12-11 11:07:00,687 [analyzer] INFO: Analysis completed.

Cuckoo Log

2024-12-14 17:00:48,598 [cuckoo.core.scheduler] DEBUG: Task #5654409: no machine available yet
2024-12-14 17:00:49,628 [cuckoo.core.scheduler] DEBUG: Task #5654409: no machine available yet
2024-12-14 17:00:50,650 [cuckoo.core.scheduler] DEBUG: Task #5654409: no machine available yet
2024-12-14 17:00:51,681 [cuckoo.core.scheduler] DEBUG: Task #5654409: no machine available yet
2024-12-14 17:00:52,705 [cuckoo.core.scheduler] DEBUG: Task #5654409: no machine available yet
2024-12-14 17:00:53,735 [cuckoo.core.scheduler] INFO: Task #5654409: acquired machine win7x649 (label=win7x649)
2024-12-14 17:00:53,735 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.209 for task #5654409
2024-12-14 17:00:54,095 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 234169 (interface=vboxnet0, host=192.168.168.209)
2024-12-14 17:00:54,122 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x649
2024-12-14 17:00:54,666 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x649 to vmcloak
2024-12-14 17:03:24,931 [cuckoo.core.guest] INFO: Starting analysis #5654409 on guest (id=win7x649, ip=192.168.168.209)
2024-12-14 17:03:25,935 [cuckoo.core.guest] DEBUG: win7x649: not ready yet
2024-12-14 17:03:31,003 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x649, ip=192.168.168.209)
2024-12-14 17:03:31,102 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x649, ip=192.168.168.209, monitor=latest, size=6660546)
2024-12-14 17:03:32,682 [cuckoo.core.resultserver] DEBUG: Task #5654409: live log analysis.log initialized.
2024-12-14 17:03:33,626 [cuckoo.core.resultserver] DEBUG: Task #5654409 is sending a BSON stream
2024-12-14 17:03:34,001 [cuckoo.core.resultserver] DEBUG: Task #5654409 is sending a BSON stream
2024-12-14 17:03:34,898 [cuckoo.core.resultserver] DEBUG: Task #5654409: File upload for 'shots/0001.jpg'
2024-12-14 17:03:34,907 [cuckoo.core.resultserver] DEBUG: Task #5654409 uploaded file length: 110807
2024-12-14 17:03:47,388 [cuckoo.core.guest] DEBUG: win7x649: analysis #5654409 still processing
2024-12-14 17:04:02,459 [cuckoo.core.guest] DEBUG: win7x649: analysis #5654409 still processing
2024-12-14 17:04:10,561 [cuckoo.core.resultserver] DEBUG: Task #5654409: File upload for 'shots/0002.jpg'
2024-12-14 17:04:10,594 [cuckoo.core.resultserver] DEBUG: Task #5654409 uploaded file length: 133538
2024-12-14 17:04:12,060 [cuckoo.core.resultserver] DEBUG: Task #5654409: File upload for 'curtain/1733911620.41.curtain.log'
2024-12-14 17:04:12,063 [cuckoo.core.resultserver] DEBUG: Task #5654409 uploaded file length: 36
2024-12-14 17:04:12,288 [cuckoo.core.resultserver] DEBUG: Task #5654409: File upload for 'sysmon/1733911620.64.sysmon.xml'
2024-12-14 17:04:12,338 [cuckoo.core.resultserver] DEBUG: Task #5654409 uploaded file length: 2554984
2024-12-14 17:04:12,639 [cuckoo.core.resultserver] DEBUG: Task #5654409 had connection reset for <Context for LOG>
2024-12-14 17:04:14,543 [cuckoo.core.guest] INFO: win7x649: analysis completed successfully
2024-12-14 17:04:14,552 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2024-12-14 17:04:14,675 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2024-12-14 17:04:15,602 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x649 to path /srv/cuckoo/cwd/storage/analyses/5654409/memory.dmp
2024-12-14 17:04:15,604 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x649
2024-12-14 17:05:27,468 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.209 for task #5654409
2024-12-14 17:05:27,882 [cuckoo.core.scheduler] DEBUG: Released database task #5654409
2024-12-14 17:05:27,897 [cuckoo.core.scheduler] INFO: Task #5654409: analysis procedure completed

Signatures

Yara rule detected for file (1 event)
description (no description) rule LnkHeader
Command line console output was observed (1 event)
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Access is denied.
console_handle: 0x000000000000000b
1 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Creates a shortcut to an executable file (1 event)
file C:\Users\Administrator\AppData\Local\Temp\23eea7f017eac75c_nqndyy.lnk
File has been identified by 3 AntiVirus engine on IRMA as malicious (3 events)
G Data Antivirus (Windows) Virus: Win32.Trojan.Agent.YA (Engine B)
Sophos Anti-Virus (Linux) Troj/LnkRun-EX
ESET Security (Windows) LNK/Agent.GZ trojan
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.