c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177 | Triage

Submit
Reports

Overview

overview

9

Static

static

1

c2c5837094...77.lnk

windows7-x64

8

c2c5837094...77.lnk

windows10-2004-x64

9

Sharing

General

Target

c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177.lnk
Size

2KB
Sample

241127-dhhheazqer
MD5

4a658619a07a5237c0e85b75bf14e644
SHA1

089a04cc3a66c5b86ddbb6a481c5ab8702c1e621
SHA256

c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177
SHA512

88e0b970b2da52b263ecd6008a58df1094ce1acac03bd1358afad0d99daa6c3f89c32122451a3f6632f42db70541b3982ecaff046eda569968ed6ffd2879a394

Score

9^/10

defense_evasion discovery execution lateral_movement

Static task

static1

Behavioral task

behavioral1

Sample

c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177.lnk

Resource

win7-20240903-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177.lnk

Resource

win10v2004-20241007-en

defense_evasion discovery execution lateral_movement

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Targets

- Target
  
  c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177.lnk
- Size
  
  2KB
- MD5
  
  4a658619a07a5237c0e85b75bf14e644
- SHA1
  
  089a04cc3a66c5b86ddbb6a481c5ab8702c1e621
- SHA256
  
  c2c5837094cd8de442e49235887ce10e31e9f7ccc39af67235cfd548e7a1a177
- SHA512
  
  88e0b970b2da52b263ecd6008a58df1094ce1acac03bd1358afad0d99daa6c3f89c32122451a3f6632f42db70541b3982ecaff046eda569968ed6ffd2879a394
Score

9^/10

execution defense_evasion discovery lateral_movement
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Account Manipulation

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Account Manipulation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Users

Indicator Removal

Network Share Connection Removal

Modify Registry

Credential Access

Discovery

Permission Groups Discovery

Local Groups

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Remote Service Session Hijacking

RDP Hijacking

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

defense_evasiondiscoveryexecutionlateral_movement

© 2018-2025

Terms | Privacy