052f15250453f9ec90857dfbf70301dcf7030deeac6a3a57ae368fc9764987ec

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c05d489112b0dcd6af92174d50b23a8a.exe
Size

73KB
MD5

c05d489112b0dcd6af92174d50b23a8a
SHA1

77108bdae069ee4f291155950d2701c51c624c44
SHA256

052f15250453f9ec90857dfbf70301dcf7030deeac6a3a57ae368fc9764987ec
SHA512

978667e0bcd4135d0a5fa32398492e5e5f47658cb5e0a5068b150d348f44c526716f3c3306e7acb9ec583eda69d51a447ddc3157899f7440c77ef0f01cc0a35d
SSDEEP

768:6YMqEp7FN3mmRFvkYV0IEshi/XU8gVc/2n1qhXzWhTpRzyf4SJsEbfED6nX30a7M:Gt/RR0dUi/Jge/24hXzaNRziJHXzf7o

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2536	link.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	link.exe

Loads dropped DLL 1 IoCs

pid	Process
2068	c05d489112b0dcd6af92174d50b23a8a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\JAVADE~1\JAVAMI~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MICROS~1\MICROS~1\MICROS~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MAINTE~1\CREATE~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MICROS~1\MICROS~2.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\WINDOW~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\REMOTE~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\WINDOW~1\WINDOW~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MICROS~1\MIAF79~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Games\INTERN~3.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Games\SOLITA~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MAINTE~1\REMOTE~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MICROS~1\MI4465~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\WELCOM~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ADOBER~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Games\SPIDER~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MICROS~1\MICROS~1\MICROS~4.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SYSTEM~1\TASKSC~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SYSTEM~1\WINDOW~2.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ADMINI~1\EVENTV~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ADMINI~1\PRINTM~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Games\MINESW~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SYSTEM~1\SYSTEM~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\SHAREP~1\MICROS~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Games\INTERN~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Games\INTERN~2.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\VideoLAN\RELEAS~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\WINDOW~3.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SNIPPI~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SYSTEM~1\WINDOW~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\Wordpad.lnk	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MICROS~1\MICROS~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\GOOGLE~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Java\VISITJ~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Sidebar.lnk	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SOUNDR~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\TABLET~1\SHAPEC~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Games\FreeCell.lnk	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MICROS~1\MICROS~3.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SYSTEM~1\SYSTEM~2.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Java\CONFIG~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MEDIAC~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\VideoLAN\VIDEOL~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ADMINI~1\SECURI~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Firefox.lnk	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\WINDOW~2.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\7-Zip\7-ZIPF~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\DISPLA~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\NETWOR~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ADMINI~1\ISCSII~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\CALCUL~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SYSTEM~1\dfrgui.lnk	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ADMINI~1\MEMORY~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MICROS~1\MICROS~1\MICROS~2.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\MAINTE~1\BACKUP~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ADMINI~1\WINDOW~2.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\XPSVIE~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ADMINI~1\services.lnk	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\VideoLAN\DOCUME~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\VideoLAN\VLCMED~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\STICKY~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ADMINI~1\PERFOR~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\VideoLAN\VLCMED~2.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\ACCESS~1\SPEECH~1.LNK	link.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SYSTEM~1\DISKCL~1.LNK	link.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2536	link.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2536	2068	c05d489112b0dcd6af92174d50b23a8a.exe	29
PID 2068 wrote to memory of 2536	2068	c05d489112b0dcd6af92174d50b23a8a.exe	29
PID 2068 wrote to memory of 2536	2068	c05d489112b0dcd6af92174d50b23a8a.exe	29
PID 2068 wrote to memory of 2536	2068	c05d489112b0dcd6af92174d50b23a8a.exe	29

C:\Users\Admin\AppData\Local\Temp\c05d489112b0dcd6af92174d50b23a8a.exe
"C:\Users\Admin\AppData\Local\Temp\c05d489112b0dcd6af92174d50b23a8a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\link.exe
  "C:\Users\Admin\AppData\Local\Temp\link.exe" C:\Users\Admin\AppData\Local\Temp\C05D48~1.EXE
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\link.exe

Filesize
73KB

MD5
c05d489112b0dcd6af92174d50b23a8a

SHA1
77108bdae069ee4f291155950d2701c51c624c44

SHA256
052f15250453f9ec90857dfbf70301dcf7030deeac6a3a57ae368fc9764987ec

SHA512
978667e0bcd4135d0a5fa32398492e5e5f47658cb5e0a5068b150d348f44c526716f3c3306e7acb9ec583eda69d51a447ddc3157899f7440c77ef0f01cc0a35d

Download Submit
memory/2536-8-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download