Overview

overview

8

Static

static

1

staplesds0...f..lnk

windows7-x64

8

staplesds0...f..lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    69s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2023 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    staplesds02_23.pdf..lnk

  • Size

    293.9MB

  • MD5

    19a3f866228475d4a3355f4fa6bc3a02

  • SHA1

    c3c426526286bc758ee684eb0a313115235e1fdb

  • SHA256

    dd20336df4d95a3da83bcf7ef7dd5d5c89157a41b6db786c1401bf8e8009c8f2

  • SHA512

    b5af6f2225f9be82f2efcc6792fe0d59ae11100dd934dbc85b913e6d490c8c49e236a21e0d8b8d5838222811d1cef800099718b63593c992a655bffadd914b4d

  • SSDEEP

    12288:vTCTogJFp/eClsS5+ytvDsdax4VNOKgWZCvnBgY8ej173EyDyYLERuPUZ:AogJllSWwaeV6gY8ej1NFEh

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\staplesds02_23.pdf..lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c if exist C:\Users\Admin\AppData\Local\Temp\temp1_staplesds.zip\staplesds02_23.pdf..lnk (certutil.exe -decode C:\Users\Admin\AppData\Local\Temp\temp1_staplesds.zip\staplesds02_23.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta&start C:\Users\Admin\AppData\Local\Temp\.hta)else (certutil -decode staplesds02_23.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta&start C:\Users\Admin\AppData\Local\Temp\.hta)
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Windows\system32\certutil.exe
        certutil -decode staplesds02_23.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta
        3⤵
          PID:4812
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • Blocklisted process makes network request
          PID:896

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\.hta
      Filesize

      29.6MB

      MD5

      03f4c450eceb65bb035eb14017d603b0

      SHA1

      f2ba6bae3d9ab9f6926ae03772beb53afe103296

      SHA256

      13560a1661d2efa15e58e358f2cdefbacf2537cad493b7d090b5c284e9e58f78

      SHA512

      26928feff39479252d6979c91b9df0f9d0208158f0bd96a72237f1793330742168556583f4072c03679e9911368a4ec5026d5695ba0d02261ec44ddcae79a50f

      Download Submit

    • memory/684-132-0x0000000000000000-mapping.dmp

      Download

    • memory/896-135-0x0000000000000000-mapping.dmp

      Download

    • memory/4812-133-0x0000000000000000-mapping.dmp

      Download