Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 12:06
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document.txt
Resource
win10v2004-20220812-en
4 signatures
300 seconds
General
-
Target
New Text Document.txt
-
Size
1B
-
MD5
0cc175b9c0f1b6a831c399e269772661
-
SHA1
86f7e437faa5a7fce15d1ddcb9eaeaea377667b8
-
SHA256
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
-
SHA512
1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exedescription pid process target process PID 3652 wrote to memory of 2220 3652 cmd.exe WScript.exe PID 3652 wrote to memory of 2220 3652 cmd.exe WScript.exe PID 3652 wrote to memory of 4828 3652 cmd.exe WScript.exe PID 3652 wrote to memory of 4828 3652 cmd.exe WScript.exe PID 3652 wrote to memory of 4284 3652 cmd.exe WScript.exe PID 3652 wrote to memory of 4284 3652 cmd.exe WScript.exe
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ipk w269n-wfgwx-yvc9b-4j6c9-t83gx2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /skms kms8.msguides.com2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ato2⤵