Overview

overview

9

Static

static

document-1...98.lnk

windows7-x64

9

document-1...98.lnk

windows10-2004-x64

7

wfNRQyZ3.dll

windows7-x64

3

wfNRQyZ3.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/09/2022, 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    document-130722.10498.lnk

  • Size

    1KB

  • MD5

    4fc5487f3a00ebde42c1f00e338fb9b0

  • SHA1

    c129fef267cf6e76c565b9206a078fc1f2f78889

  • SHA256

    32de9a1f6a2a109cb6dedc1cfa9b14e0ce443c53e1232b8c459fe0ad25f473b7

  • SHA512

    1d77f640b27b0a537ab9121601e00956347b2641febe04261d1ef40688004344fa0d8e144d9167c273136162b346c9e565e394fc6fa008e11e529caefaf1e00b

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\document-130722.10498.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "start RvimAikr.png && start ru^n^d^l^l3^2 wfNRQyZ3.d^l^l, maincase"
      2⤵
        PID:4840

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads