If we keep looking, we can see that despite the fact that it has a TXT icon it runs PowerShell:

As you can see, the most interesting part is the arguments. They are slightly obfuscated, but it's not difficult to understand that it downloads another PowerShell script valorleads[.]com, and runs it.

Unfortunately, this time we don't have neither MAC address, nor volume serial number, but still have one interesting artifact in the Property store data block – user's SID that is S-1-5-21-2301182080-2893820282-2158489944-1000.

Ok, let's go back to downloaded PowerShell script, 1.ps1 (1fdc309f8ff96ebbe1cc4b825e21d6e44b606d389357abe0004e7a91165e0b5f). If we look inside, we can see it's quite obfuscated. Let's dig deeper and understand what happens after its execution.

The first function is qxsnrkuj:

As you can see, there are more functions inside it. Let's start from exhsfmczjl:

This function is used to generate the file's name. The name will be from 3 to 5 symbols in length and consist of low case Latin letters only.

Next function, kisejmw:

This function is used to decode Base64-encoded string. Let's go further and look at nxizc:

It's used for downloading and saving data from the URL provided using TLS 1.2 protocol.

And finally, bqzpq:

This function is used to run the file. If the file has DLL extension, regsvr32.exe with /s argument is used to run it, if the file has EXE extension, it's run as is, else – the file is opened with default associated application.

Let's get back to qxsnrkuj. Now we can see, that this function is used to download and open the decoy image from https://image.isu[.]pub/130729032316-97fbf070197fbde8e88397077c468ab6/jpg/page_1.jpg.

Next function, tryeboi:

First of all, let's decode Base64:

The function uses Windows Management Instrumentation (WMI) to gather information about target's operating system version. If the version is 6.3 or older, it uses eventvwr.exe to bypass User Account Control (UAC), if it's 9.1 or newer – fodhelper.exe will be used for bypassing.

The first bypass technique is based on adding the path to dropped executable to (Default) value under HKCU\Software\Classes\mscfile\shell\open\command, so Event Viewer (eventvwr.exe) will run the malicious executable instead of Microsoft Management Console (mmc.exe).

The second bypass technique is based on adding the path to dropped executable to "(Default)" value under HKCU\Software\Classes\ms-settings\shell\open\command, so Features On Demand Helper (fodhelper.exe) will run the malicious executable.

Next function, elvbfzcoa:

This function adds "hidden" attribute to the file.

Let's look at ijrxnfqo:

This function suspends process for the number of seconds provided.

Next function, nvbkjgswu, contains Base64-encoded payload that will be decoded and saved to C:\Users\Public with a name generated by qxsnrkuj function. The payload is CobInt stager that will download Cobalt Strike beacon from hXXp://safestaticfirefox[.]com/uacuxuiaeoerkaryixju.

And the last function I'm going to look at – pqdtvi:

The function opens previously downloaded image, adds EXE extension to extracted CobInt stager and run it suspending the process for 30 seconds.

Ok, let's put it all together. The user opens the IMG file he or she received, weaponized LNK file inside downloads and runs 1.ps1. Downloaded PowerShell script downloads and opens the decoy image, extracts CobInt stager, runs it with eventvwr.exe to bypass UAC if OS version is 6.3 or earlier, or fodhelper.exe if it's 9.1 or newer, and suspend process for 30 seconds. Finally, the stager downloads and runs the beacon.

To summarize the analysis, let's map the techniques used by the threat actors to MITRE ATT&CK: