Overview

overview

10

Static

static

RR.lnk

windows7-x64

3

RR.lnk

windows10-2004-x64

7

sandstone/beeches.cmd

windows7-x64

1

sandstone/beeches.cmd

windows10-2004-x64

1

sandstone/gold.cmd

windows7-x64

1

sandstone/gold.cmd

windows10-2004-x64

1

sandstone/kilketh.dll

windows7-x64

10

sandstone/kilketh.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2022 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RR.lnk

  • Size

    1KB

  • MD5

    5adfb10fa942ee453862b4adbcfbca6f

  • SHA1

    d76867af1d617b82a6c2c69b43f3bcef5fedcdb2

  • SHA256

    4cdbdd8e0e25072b84b74a3116f532819704a43daf567ef9230d137a11631895

  • SHA512

    c79e0913d046d96cfacfd4bd345d021d9868492d4ee0c9422231daf3fc0c4b8d12fb0bf78bc410cb9c82c8dc1c5e54ff581daef5e7159cfa305d3535d3d16c4c

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sandstone\gold.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K sandstone\beeches.cmd system rundl
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Windows\system32\replace.exe
          replace C:\Windows\\system32\\rundlr32.exe C:\Users\Admin\AppData\Local\Temp /A
          4⤵
            PID:4804
          • C:\Windows\system32\rundll32.exe
            rundll32 sandstone\\kilketh.tmp,init
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4888
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 sandstone\\kilketh.tmp,init
              5⤵
                PID:4784

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4144-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4784-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4804-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4888-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4924-133-0x0000000000000000-mapping.dmp
        Download