Analysis
-
max time kernel
4265058s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17-01-2022 16:16
Static task
static1
Behavioral task
behavioral1
Sample
image.cmd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
image.cmd.exe
Resource
win10v2004-en-20220113
General
-
Target
image.cmd.exe
-
Size
3.1MB
-
MD5
6f16cdd2022697146305e80f3a0b0d18
-
SHA1
67ba9eeaf24aa39a5bfd0d385cdd8fa756f4405e
-
SHA256
a75b04b359e9fba84407f4763ee90c36031685de4ea4b38020f9913b815baf71
-
SHA512
6121c3872a52c54314c158b4b05b144c439d5d3a87ed59616fc241926a4df2097a2c455901a7b5b6b0a603fd107ed6c19ac6a58d635f8a0bb2d9d5e46fb4c6e5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid Process 3304 mspaint.exe 3304 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MusNotification.exedescription pid Process Token: SeShutdownPrivilege 3532 MusNotification.exe Token: SeCreatePagefilePrivilege 3532 MusNotification.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
image.cmd.exemspaint.exepid Process 3288 image.cmd.exe 3288 image.cmd.exe 3288 image.cmd.exe 3304 mspaint.exe 3304 mspaint.exe 3304 mspaint.exe 3304 mspaint.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
image.cmd.execmd.exedescription pid Process procid_target PID 3288 wrote to memory of 3528 3288 image.cmd.exe 56 PID 3288 wrote to memory of 3528 3288 image.cmd.exe 56 PID 3288 wrote to memory of 3528 3288 image.cmd.exe 56 PID 3528 wrote to memory of 3304 3528 cmd.exe 61 PID 3528 wrote to memory of 3304 3528 cmd.exe 61 PID 3528 wrote to memory of 3304 3528 cmd.exe 61
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.cmd.exe"C:\Users\Admin\AppData\Local\Temp\image.cmd.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\FILE.bmp2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\FILE.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3304
-
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3532