0432dca5d3f8623103c1e112f052a4ed7990d550b029c445858ffc94a9abe65b

Resubmissions

15-04-2024 17:37

240415-v66nksed8w 7

15-04-2024 17:34

240415-v5ll1sed3z 7

15-04-2024 17:30

240415-v3fmzsca66 3

15-04-2024 17:27

240415-v1vdcseb8w 7

Analysis

max time kernel
28s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsPowerShell/v1.0/Modules/VpnClient/PS_VpnServerAddress_v1.0.cdxml
Size

1KB
MD5

f45547e60663d7b4bc02a4182fda841d
SHA1

a0a2bbdcd7f33e988115c588bd77fa80c3de7456
SHA256

71813b448a93a70d846dee293ebee26d0f3d75d2601c96e8a25a954857045622
SHA512

c78478485365d87e89f523615fbcbdcb3882e1795ad07cdbaa4e6730c3f0f02201bbe956e4686d060922bfea7793fa1599963ab447a329ca17dc4a8062610a69

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4408	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 4408	3180	cmd.exe	91
PID 3180 wrote to memory of 4408	3180	cmd.exe	91

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WindowsPowerShell\v1.0\Modules\VpnClient\PS_VpnServerAddress_v1.0.cdxml
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\WindowsPowerShell\v1.0\Modules\VpnClient\PS_VpnServerAddress_v1.0.cdxml
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads