Overview
overview
10Static
static
Invoice-06-1022.iso
windows7_x64
3Invoice-06-1022.iso
windows10-2004_x64
31728.ps1
windows7_x64
11728.ps1
windows10-2004_x64
10Scan_282.jpg
windows7_x64
3Scan_282.jpg
windows10-2004_x64
3Scan_282.jpg.lnk
windows7_x64
3Scan_282.jpg.lnk
windows10-2004_x64
8x.txt
windows7_x64
1x.txt
windows10-2004_x64
1Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 04:28
Static task
static1
Behavioral task
behavioral1
Sample
Invoice-06-1022.iso
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice-06-1022.iso
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
1728.ps1
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
1728.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Scan_282.jpg
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Scan_282.jpg
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
Scan_282.jpg.lnk
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
Scan_282.jpg.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
x.txt
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
x.txt
Resource
win10v2004-20220414-en
General
-
Target
Scan_282.jpg.lnk
-
Size
1KB
-
MD5
371924fdfffd4ca69857e94260c34a74
-
SHA1
2a1dc23c24010a8b5ef3b512ea3e3c6d2f52a44b
-
SHA256
801086851a46749a95efc050102fb85b761c0ccb191dfd29ff39c6b7cacb6292
-
SHA512
f9cbf21c27cf3473a2b73141dfd728d9d8824d20afc24f4b4b93ca5bf9536bd594c7a6d4100be2a2fc9c8e4b85b9dcf9797f61f60267128ea31cb44bfb43aba0
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 2668 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2668 powershell.exe 2668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2668 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 4320 wrote to memory of 2668 4320 cmd.exe powershell.exe PID 4320 wrote to memory of 2668 4320 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Scan_282.jpg.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file 1728.ps12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668