Edit tour
Windows
Analysis Report
https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/2024-10-03/6vlqsq0ea94qi8rth4tp24je96k0dmndp8mrv081/4800d67e9c2c9b1c9b33e5072a3a4d3590a0f2a7c85332a08f56f93ba90730df?response-content-disposition=attachment%3B%20filename%3D%2215009518.tif%22%3B%20filena
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
- cmd.exe (PID: 7768 cmdline:
C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://ph isher-part s-producti on-us-east -1.s3.amaz onaws.com/ da08a569-c 476-4c06-9 e6f-9e3c8a e51232/202 4-10-03/6v lqsq0ea94q i8rth4tp24 je96k0dmnd p8mrv081/4 800d67e9c2 c9b1c9b33e 5072a3a4d3 590a0f2a7c 85332a08f5 6f93ba9073 0df?respon se-content -dispositi on=attachm ent%3B%20f ilename%3D %221500951 8.tif%22%3 B%20filena me%2A%3DUT F-8%27%271 5009518.ti f&X-Amz-Al gorithm=AW S4-HMAC-SH A256&X-Amz -Credentia l=ASIA37KR EM2QBKQZ3X 6K%2F20241 004%2Fus-e ast-1%2Fs3 %2Faws4_re quest&X-Am z-Date=202 41004T1303 00Z&X-Amz- Expires=20 166&X-Amz- Security-T oken=IQoJb 3JpZ2luX2V jEI3%2F%2F %2F%2F%2F% 2F%2F%2F%2 F%2FwEaCXV zLWVhc3QtM SJHMEUCIDb W0ksT3kpFT NmdUCSlFAf WS8tve21IT gXdvedLvrB sAiEAjwTn8 R9LuIHi9v2 IUGcvynJ3u 75fZePpg%2 Fb7j8YBKfw qiAQI1v%2F %2F%2F%2F% 2F%2F%2F%2 F%2F%2FARA AGgw4MjMxO TMyNjU4MjQ iDAaDG9BVY OPBSHu6TCr cA9jgSDwvR 9kC3YEyJ%2 BUj76%2B7o zV3IRDwuyA xYIRLInLLp zpFae%2BG7 %2FN6hZIYn tHvG0RTeaQ u8gqTH9RMN xceYkMtryE xakSeTn6Ey V0rGw1nrz2 nnuB%2BvQv 2tBhO5g%2F DVEKGIAkBH GXqzCn7l8s itWAQGOFLn tTEo8BRSSx LlZhyFKa6r 0DTJWA2HRo AMXhvc3e0H %2BZGBW5Hn LqIrE6mXeN gar8r7Ix3q P8bgDuIgWY B7BFixCDXc ARA6UNqlB9 JpI%2BNOzU zOr0g0AWnh yxmqUWBAPU tN2GsQIj%2 F5NWAcXL7I JmnBVnmjPE 3cIE19Z0sP yPwecimhXP V%2F3452vl ugUGuyA%2B UCpqO6E0ua tRty3%2FJW z5PcMFLXAo pfdfO7IsOT k15zFHXOaj tRqzCHv%2B IdRY2SnMY% 2Bj5M%2BR8 8dqdl0%2Fx MG%2BUGX5A pvpElUc3M5 tH3Jy6fFHs SCBXVkBMt6 jnBZWvJ%2B jWo%2BndZw oGdolsb9Ru xU6LebmB8O guaOjxxF1r %2F23i5GLe yKLN8YLjUs kJC56144IE pXs8YyGkpP sWw%2BEW2k K86Pa5d%2B twXe9IioLo s6ixB2GhVu jVEx%2FpUE s%2FZT588Z 76kuoFvhwH WwJQIHEh%2 F4gtLz%2F3 fGY7%2BAhK uMOrD%2F7c GOqUBFB1cC MjdqrpYzbQ Jl2m6RTmIU SrbFcnAuWF ndE8tYoIxI eSc76oacoR Cg3jQ4gXh3 OQ9iaQuEBS G75w4RLP2u hktT%2BYfg Y7mvU0ELQr SRvY6pIle4 m6GIQmDHmt X1PTKRLZeS %2Fw2IGtJc lWysxcCoXM 155PfDM3Kg cZhcxplk6Y DOxky4u541 EsuhZhklnO gutd%2FWYe 2whdvHI4Rz pQa9k8KEhD i&X-Amz-Si gnedHeader s=host&X-A mz-Signatu re=ece9018 6affc7b0a6 0310ade8e3 c5cdb107dc 9de5c37bc9 1dd97a78b3 d4097d0" > cmdline.o ut 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wget.exe (PID: 7864 cmdline:
wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://phi sher-parts -productio n-us-east- 1.s3.amazo naws.com/d a08a569-c4 76-4c06-9e 6f-9e3c8ae 51232/2024 -10-03/6vl qsq0ea94qi 8rth4tp24j e96k0dmndp 8mrv081/48 00d67e9c2c 9b1c9b33e5 072a3a4d35 90a0f2a7c8 5332a08f56 f93ba90730 df?respons e-content- dispositio n=attachme nt%3B%20fi lename%3D% 2215009518 .tif%22%3B %20filenam e%2A%3DUTF -8%27%2715 009518.tif &X-Amz-Alg orithm=AWS 4-HMAC-SHA 256&X-Amz- Credential =ASIA37KRE M2QBKQZ3X6 K%2F202410 04%2Fus-ea st-1%2Fs3% 2Faws4_req uest&X-Amz -Date=2024 1004T13030 0Z&X-Amz-E xpires=201 66&X-Amz-S ecurity-To ken=IQoJb3 JpZ2luX2Vj EI3%2F%2F% 2F%2F%2F%2 F%2F%2F%2F %2FwEaCXVz LWVhc3QtMS JHMEUCIDbW 0ksT3kpFTN mdUCSlFAfW S8tve21ITg XdvedLvrBs AiEAjwTn8R 9LuIHi9v2I UGcvynJ3u7 5fZePpg%2F b7j8YBKfwq iAQI1v%2F% 2F%2F%2F%2 F%2F%2F%2F %2F%2FARAA Ggw4MjMxOT MyNjU4MjQi DAaDG9BVYO PBSHu6TCrc A9jgSDwvR9 kC3YEyJ%2B Uj76%2B7oz V3IRDwuyAx YIRLInLLpz pFae%2BG7% 2FN6hZIYnt HvG0RTeaQu 8gqTH9RMNx ceYkMtryEx akSeTn6EyV 0rGw1nrz2n nuB%2BvQv2 tBhO5g%2FD VEKGIAkBHG XqzCn7l8si tWAQGOFLnt TEo8BRSSxL lZhyFKa6r0 DTJWA2HRoA MXhvc3e0H% 2BZGBW5HnL qIrE6mXeNg ar8r7Ix3qP 8bgDuIgWYB 7BFixCDXcA RA6UNqlB9J pI%2BNOzUz Or0g0AWnhy xmqUWBAPUt N2GsQIj%2F 5NWAcXL7IJ mnBVnmjPE3 cIE19Z0sPy PwecimhXPV %2F3452vlu gUGuyA%2BU CpqO6E0uat Rty3%2FJWz 5PcMFLXAop fdfO7IsOTk 15zFHXOajt RqzCHv%2BI dRY2SnMY%2 Bj5M%2BR88 dqdl0%2FxM G%2BUGX5Ap vpElUc3M5t H3Jy6fFHsS CBXVkBMt6j nBZWvJ%2Bj Wo%2BndZwo Gdolsb9Rux U6LebmB8Og uaOjxxF1r% 2F23i5GLey KLN8YLjUsk JC56144IEp Xs8YyGkpPs Ww%2BEW2kK 86Pa5d%2Bt wXe9IioLos 6ixB2GhVuj VEx%2FpUEs %2FZT588Z7 6kuoFvhwHW wJQIHEh%2F 4gtLz%2F3f GY7%2BAhKu MOrD%2F7cG OqUBFB1cCM jdqrpYzbQJ l2m6RTmIUS rbFcnAuWFn dE8tYoIxIe Sc76oacoRC g3jQ4gXh3O Q9iaQuEBSG 75w4RLP2uh ktT%2BYfgY 7mvU0ELQrS RvY6pIle4m 6GIQmDHmtX 1PTKRLZeS% 2Fw2IGtJcl WysxcCoXM1 55PfDM3Kgc Zhcxplk6YD Oxky4u541E suhZhklnOg utd%2FWYe2 whdvHI4Rzp Qa9k8KEhDi &X-Amz-Sig nedHeaders =host&X-Am z-Signatur e=ece90186 affc7b0a60 310ade8e3c 5cdb107dc9 de5c37bc91 dd97a78b3d 4097d0" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |