ec4bf6cfc55df437a044d2f779cfd3619ddc96d4c7c5cb6621f38e9e30ec1041

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fonts/BOD_BI.ttf
Size

83KB
MD5

5bb67e55de4ee82aff5585b7bc7df099
SHA1

30c29ebba4511f7ffb96bc056bfb6531229011f4
SHA256

9729e2ae73b15871db606a18a48b8674ce2bae35d76a511d3510c4a9db2385ef
SHA512

51e91ff81bf05e2cd05d0caaf81f8ce6742d7ef9b8f7857daad2bbad085f419d6773c1bd664f040bf0028f51139046bb23589c1c66c3c4065dfd34d246c64c84
SSDEEP

1536:j0mROXFT8UwUDH49fe7/jtYMXVT4FBMDbsJ4/RG2luywo60qdlnHy721Mslt6l2G:wnXp8UwUDY9fC0gTqy4DnSK1MsN9uELO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 536 wrote to memory of 4288 536 cmd.exe fontview.exe
PID 536 wrote to memory of 4288 536 cmd.exe fontview.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

description	pid	process	target process
PID 536 wrote to memory of 4288	536	cmd.exe	fontview.exe
PID 536 wrote to memory of 4288	536	cmd.exe	fontview.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fonts\BOD_BI.ttf
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\fonts\BOD_BI.ttf
2⤵
PID:4288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4288-132-0x0000000000000000-mapping.dmp

Download