Analysis
-
max time kernel
188s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
JO-PARIS2024-Billets.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
JO-PARIS2024-Billets.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
billets.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
billets.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
rickroll.cmd
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
rickroll.cmd
Resource
win10v2004-20240419-en
General
-
Target
rickroll.cmd
-
Size
243B
-
MD5
de36d4e5dfac1616f56c14d14c0486be
-
SHA1
879215bca135b5b801280416dbfa2427cc68514c
-
SHA256
c8b39b18d80618faf5486697e8f1bf5e51962c01c73f4630eebd6c5dbee058f6
-
SHA512
dbdc13f968137402330f214d3203873ea7e894821bc45a3e2274dceb592f32194af8a51a02236818adba2462ec507f3081b868fab03235509be1aca9d656e08b
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 516 wrote to memory of 2408 516 cmd.exe cmd.exe PID 516 wrote to memory of 2408 516 cmd.exe cmd.exe PID 516 wrote to memory of 1776 516 cmd.exe xcopy.exe PID 516 wrote to memory of 1776 516 cmd.exe xcopy.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rickroll.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"2⤵
-
C:\Windows\system32\xcopy.exexcopy billets.png C:\Users\Admin\AppData\Local\Temp\20378.24007 /h /s /e /f2⤵