Overview

overview

10

Static

static

RR.lnk

windows7-x64

10

RR.lnk

windows10-2004-x64

7

mollusks/c...nk.cmd

windows7-x64

1

mollusks/c...nk.cmd

windows10-2004-x64

1

mollusks/e...ng.cmd

windows7-x64

1

mollusks/e...ng.cmd

windows10-2004-x64

1

mollusks/fondest.dll

windows7-x64

10

mollusks/fondest.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    288s
  • max time network
    349s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2022 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RR.lnk

  • Size

    1KB

  • MD5

    99c13f13a9ff15fe23be566df534b00b

  • SHA1

    28a1850d467da6dfe000ec56070ddbff3ebd8f2d

  • SHA256

    24372ffb6203b0b5baf871d4089a5c2e0a5f7e39bc8681f525c74ab60b52c4a5

  • SHA512

    4d880757d02b4f5798305cb15643f942ceb1a492c32c2e331c8b45878e03ad0dc33ead2ec68d3e695fe8e3d497922067fe05ec58e712e36f81f154c0d9e76223

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mollusks\enlisting.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K mollusks\countersink.cmd system rundl
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3160
        • C:\Windows\system32\replace.exe
          replace C:\Windows\\system32\\rundlr32.exe C:\Users\Admin\AppData\Local\Temp /A
          4⤵
            PID:2268

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2268-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3160-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4492-132-0x0000000000000000-mapping.dmp
      Download