Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-04-2022 21:50
General
-
Target
INV 2022-04-22_1538, US.doc.lnk
-
Size
3KB
-
MD5
acbbc946a9441b52cc8cd84292977931
-
SHA1
232258201e20b9b256a64987227148095aa2954b
-
SHA256
082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203
-
SHA512
0fb9d77e80b9e0d6c0e3082f289f7f27a0f19747dbc8d69ae6a8935bf91668905a161364f8f468864156989ecb05b03291cfe11a8541d9f26cb2f56718972a22
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\INV 2022-04-22_1538, US.doc.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c findstr "rSIPPswjwCtKoZy.*" Password2.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs" & "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr "rSIPPswjwCtKoZy.*" Password2.doc.lnk3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs"3⤵
-
-