Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 17:34
Static task
static1
Behavioral task
behavioral1
Sample
Parking_Receipt_5.doc.lnk
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Parking_Receipt_5.doc.lnk
Resource
win10v2004-20240508-en
General
-
Target
Parking_Receipt_5.doc.lnk
-
Size
9KB
-
MD5
2ef37d3814879f5c1e57bbb61642e6f7
-
SHA1
a8ead0c5e0b5e150f9f8945065e151434991123f
-
SHA256
eb17b9b7a32be1e5056b599e859e3bf46b0c55fd7334775f5b3548f49a74d8ce
-
SHA512
bbd46965cdf208d97fa2093f19d4eb1a05ebc4fff2885f9c75cbc345b7009ff30b6e3d8b2d14b3486aeda7be6c754946bdcec5b034db78888773933eff91b9a0
-
SSDEEP
96:8Bdb3k4wk2houqRHMEA3ws/c1T0RdoyG37uv:8BRURhm2cs/cB0Tc3K
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2208 wrote to memory of 2588 2208 cmd.exe cmd.exe PID 2208 wrote to memory of 2588 2208 cmd.exe cmd.exe PID 2208 wrote to memory of 2588 2208 cmd.exe cmd.exe PID 2588 wrote to memory of 2808 2588 cmd.exe findstr.exe PID 2588 wrote to memory of 2808 2588 cmd.exe findstr.exe PID 2588 wrote to memory of 2808 2588 cmd.exe findstr.exe PID 2588 wrote to memory of 2528 2588 cmd.exe WScript.exe PID 2588 wrote to memory of 2528 2588 cmd.exe WScript.exe PID 2588 wrote to memory of 2528 2588 cmd.exe WScript.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Parking_Receipt_5.doc.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c zlAIE & (findstr "execu.*" Parking_Receipt_5.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs" & "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs") & yJYAz2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr "execu.*" Parking_Receipt_5.doc.lnk3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gnzoM.vbsFilesize
7KB
MD50ccb5ac219b4bca69895368631d4d951
SHA19d27df981760e94871b5bd9850fe4ce95ed11ede
SHA256c6e8e7340deba567e9e908ec7e909b669882bde38690cf372bdcdfa2eb77bc99
SHA51243fb935c8075820e2f68c0eb345c02c6588cd0f1355da94865cb683bd5964783ebfc8d3182285d2fd09fd8779e62166873dd9965e742e1b6b0e291e1bda9e87a