Overview

overview

7

Static

static

1

Parking_Re...oc.lnk

windows7-x64

3

Parking_Re...oc.lnk

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Parking_Receipt_5.doc.lnk

  • Size

    9KB

  • MD5

    2ef37d3814879f5c1e57bbb61642e6f7

  • SHA1

    a8ead0c5e0b5e150f9f8945065e151434991123f

  • SHA256

    eb17b9b7a32be1e5056b599e859e3bf46b0c55fd7334775f5b3548f49a74d8ce

  • SHA512

    bbd46965cdf208d97fa2093f19d4eb1a05ebc4fff2885f9c75cbc345b7009ff30b6e3d8b2d14b3486aeda7be6c754946bdcec5b034db78888773933eff91b9a0

  • SSDEEP

    96:8Bdb3k4wk2houqRHMEA3ws/c1T0RdoyG37uv:8BRURhm2cs/cB0Tc3K

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Parking_Receipt_5.doc.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c zlAIE & (findstr "execu.*" Parking_Receipt_5.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs" & "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs") & yJYAz
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\system32\findstr.exe
        findstr "execu.*" Parking_Receipt_5.doc.lnk
        3⤵
          PID:2384
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs"
          3⤵
            PID:4312

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs
        Filesize

        7KB

        MD5

        0ccb5ac219b4bca69895368631d4d951

        SHA1

        9d27df981760e94871b5bd9850fe4ce95ed11ede

        SHA256

        c6e8e7340deba567e9e908ec7e909b669882bde38690cf372bdcdfa2eb77bc99

        SHA512

        43fb935c8075820e2f68c0eb345c02c6588cd0f1355da94865cb683bd5964783ebfc8d3182285d2fd09fd8779e62166873dd9965e742e1b6b0e291e1bda9e87a

        Download Submit