Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2022 12:06

General

  • Target

    New Text Document.txt

  • Size

    1B

  • MD5

    0cc175b9c0f1b6a831c399e269772661

  • SHA1

    86f7e437faa5a7fce15d1ddcb9eaeaea377667b8

  • SHA256

    ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

  • SHA512

    1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"
    1⤵
      PID:3420
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ipk w269n-wfgwx-yvc9b-4j6c9-t83gx
        2⤵
          PID:2220
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /skms kms8.msguides.com
          2⤵
            PID:4828
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ato
            2⤵
              PID:4284

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2220-132-0x0000000000000000-mapping.dmp
          • memory/4284-134-0x0000000000000000-mapping.dmp
          • memory/4828-133-0x0000000000000000-mapping.dmp