General
-
Target
Overdue_Invoice_2023B.pdf.lnk
-
Size
1KB
-
Sample
230206-t9dljaab7y
-
MD5
094815ab6988cda2101381cbeeb0056e
-
SHA1
df5f22ce9d8e0ee3ebca101f5112c6456088d317
-
SHA256
0135c4f45de3e2187708033da3135210b03c9db4275dfa794dbcbff21b4f4df9
-
SHA512
c8f3aae210a0157275c0f24e9175ef9d508c55fd5c8e48e6c10e95a79a9f41927d5574dc5197c9594f6fbfefe3eb19f851570c6bb5e0eaecd6311731e26e4363
Static task
static1
Behavioral task
behavioral1
Sample
Overdue_Invoice_2023B.pdf.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Overdue_Invoice_2023B.pdf.lnk
Resource
win10v2004-20221111-en
Malware Config
Extracted
cobaltstrike
987654321
http://185.225.74.52:443/favicon.js
-
access_type
512
-
beacon_type
2048
-
host
185.225.74.52,/favicon.js
-
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
55991
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.63976192e+08
-
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/btn_bg
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
-
watermark
987654321
Targets
-
-
Target
Overdue_Invoice_2023B.pdf.lnk
-
Size
1KB
-
MD5
094815ab6988cda2101381cbeeb0056e
-
SHA1
df5f22ce9d8e0ee3ebca101f5112c6456088d317
-
SHA256
0135c4f45de3e2187708033da3135210b03c9db4275dfa794dbcbff21b4f4df9
-
SHA512
c8f3aae210a0157275c0f24e9175ef9d508c55fd5c8e48e6c10e95a79a9f41927d5574dc5197c9594f6fbfefe3eb19f851570c6bb5e0eaecd6311731e26e4363
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-