1a70915f0169d0a92414ae58337809372ed09b75f877fc570e905abe83d50550

Analysis

max time kernel
91s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2022, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roboto-Thin.ttf
Size

164KB
MD5

66209ae01f484e46679622dd607fcbc5
SHA1

58c733e22bceeaf9609ce578eca92ac303c6d92f
SHA256

67248f7e8c6edb3ce7ef73b0f00a534a7f42c1116cef63ce21b2035b5e979a06
SHA512

9a3298e7bdd34b3acfcd3e435cc7c1af28e90f32c37fd03e79cb71c1744d3d099d68b23e5a21b52e5785dbc4895051c2887d06b93ac8974394d6eb648e0d0df6
SSDEEP

3072:74GbnoX/bg3chPOy8Y0akfU8ZwC31atEz1viCjp+6OeQr+jpVQRE9sOcEUuyONQS:1m+Q8wektuw6/lCwJOVqkIFwu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4332	4028	cmd.exe	79
PID 4028 wrote to memory of 4332	4028	cmd.exe	79

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Roboto-Thin.ttf
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\Roboto-Thin.ttf
  2⤵
  PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...