Analysis
-
max time kernel
88s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2023 17:31
Static task
static1
Behavioral task
behavioral1
Sample
document01.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
document01.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
ipchains.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
ipchains.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
price.bat
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
price.bat
Resource
win10v2004-20221111-en
General
-
Target
document01.lnk
-
Size
1KB
-
MD5
4230179e11830d5c25781306d113523b
-
SHA1
158c3323dc9d25981625bc1f4788ae4a9a6f5e60
-
SHA256
b3105f3b231b63e1e18f592d15acbba1fb1993e032360da28a14f41d60dad696
-
SHA512
342b01130dff4f62883602906245cf5ca4aa8e14ad397e07d7e383294d93dc826d43f32510648bcddd2295f0c082b5bf8f561b9b7bba302eecf23c9580e98c54
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4604 wrote to memory of 4732 4604 cmd.exe cmd.exe PID 4604 wrote to memory of 4732 4604 cmd.exe cmd.exe PID 4732 wrote to memory of 1036 4732 cmd.exe cmd.exe PID 4732 wrote to memory of 1036 4732 cmd.exe cmd.exe PID 4732 wrote to memory of 2180 4732 cmd.exe xcopy.exe PID 4732 wrote to memory of 2180 4732 cmd.exe xcopy.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\document01.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c price.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K copy /y C:\Windows\System32\rundll32.exe C:\ProgramData\cmVhpKJSis23S.exe3⤵
-
C:\Windows\system32\xcopy.exexcopy /h /y ipchains.dll C:\ProgramData\3⤵