Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-06-2022 19:05
Static task
static1
Behavioral task
behavioral1
Sample
Parking_Receipt_5.doc.lnk
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Parking_Receipt_5.doc.lnk
Resource
win10v2004-20220414-en
General
-
Target
Parking_Receipt_5.doc.lnk
-
Size
9KB
-
MD5
2ef37d3814879f5c1e57bbb61642e6f7
-
SHA1
a8ead0c5e0b5e150f9f8945065e151434991123f
-
SHA256
eb17b9b7a32be1e5056b599e859e3bf46b0c55fd7334775f5b3548f49a74d8ce
-
SHA512
bbd46965cdf208d97fa2093f19d4eb1a05ebc4fff2885f9c75cbc345b7009ff30b6e3d8b2d14b3486aeda7be6c754946bdcec5b034db78888773933eff91b9a0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4044 wrote to memory of 2512 4044 cmd.exe cmd.exe PID 4044 wrote to memory of 2512 4044 cmd.exe cmd.exe PID 2512 wrote to memory of 3308 2512 cmd.exe findstr.exe PID 2512 wrote to memory of 3308 2512 cmd.exe findstr.exe PID 2512 wrote to memory of 4420 2512 cmd.exe WScript.exe PID 2512 wrote to memory of 4420 2512 cmd.exe WScript.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Parking_Receipt_5.doc.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c zlAIE & (findstr "execu.*" Parking_Receipt_5.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs" & "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs") & yJYAz2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr "execu.*" Parking_Receipt_5.doc.lnk3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gnzoM.vbsFilesize
7KB
MD50ccb5ac219b4bca69895368631d4d951
SHA19d27df981760e94871b5bd9850fe4ce95ed11ede
SHA256c6e8e7340deba567e9e908ec7e909b669882bde38690cf372bdcdfa2eb77bc99
SHA51243fb935c8075820e2f68c0eb345c02c6588cd0f1355da94865cb683bd5964783ebfc8d3182285d2fd09fd8779e62166873dd9965e742e1b6b0e291e1bda9e87a
-
memory/2512-130-0x0000000000000000-mapping.dmp
-
memory/3308-131-0x0000000000000000-mapping.dmp
-
memory/4420-132-0x0000000000000000-mapping.dmp