Overview

overview

10

Static

static

10

image.cmd.exe

windows7_x64

3

image.cmd.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    4265058s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    17/01/2022, 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    image.cmd.exe

  • Size

    3.1MB

  • MD5

    6f16cdd2022697146305e80f3a0b0d18

  • SHA1

    67ba9eeaf24aa39a5bfd0d385cdd8fa756f4405e

  • SHA256

    a75b04b359e9fba84407f4763ee90c36031685de4ea4b38020f9913b815baf71

  • SHA512

    6121c3872a52c54314c158b4b05b144c439d5d3a87ed59616fc241926a4df2097a2c455901a7b5b6b0a603fd107ed6c19ac6a58d635f8a0bb2d9d5e46fb4c6e5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\image.cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\image.cmd.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FILE.bmp
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\SysWOW64\mspaint.exe
        "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\FILE.bmp"
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3304
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:3532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3288-130-0x0000000000950000-0x0000000000956000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3288-131-0x0000000000950000-0x000000000095A000-memory.dmp

    Filesize

    40KB

    Download