d80d33cf63c15b5804e7dc096733026a01c300aac0e36cff5c9721adaebb1b2c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

中体彩2024年度员工晋升材料/中体彩2024年度员工晋升材料报名表.pdf.lnk
Size

727B
MD5

c02c168c1c97d6f113b88cb8c1ddedf9
SHA1

ee235ca5916d3003eab418dd9a3e2e0286bc3852
SHA256

cd029ad0d35e589c6340a33b094a3ae866648e4b93926ad7b3278d1531b583f3
SHA512

857ca5cacd21d194288a82a60a0cab439cde23beef5ebb4f83a4cb0a60694ff32c83682e4414355e26a59d4c73c29c2cac538107ee5cb95bf001b66582d6f569

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 3980	5020	osd.com	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	osd.com
5020	osd.com

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2872	5024	cmd.exe	85
PID 5024 wrote to memory of 2872	5024	cmd.exe	85
PID 4784 wrote to memory of 5020	4784	explorer.exe	87
PID 4784 wrote to memory of 5020	4784	explorer.exe	87
PID 5020 wrote to memory of 3980	5020	osd.com	98
PID 5020 wrote to memory of 3980	5020	osd.com	98
PID 5020 wrote to memory of 3980	5020	osd.com	98

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\中体彩2024年度员工晋升材料\中体彩2024年度员工晋升材料报名表.pdf.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" ".\其他信息\.__MACOS__\.__MACOS__\._MACOSX_\osd.com"
  2⤵
  PID:2872

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\中体彩2024年度员工晋升材料\其他信息\.__MACOS__\.__MACOS__\._MACOSX_\osd.com
  "C:\Users\Admin\AppData\Local\Temp\中体彩2024年度员工晋升材料\其他信息\.__MACOS__\.__MACOS__\._MACOSX_\osd.com"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\system32\runonce.exe
    C:\Windows\system32\runonce.exe
    3⤵
    PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3980-26-0x00000254BB540000-0x00000254BB571000-memory.dmp

Filesize
196KB

Download
memory/3980-28-0x00000254BCFE0000-0x00000254BD016000-memory.dmp

Filesize
216KB

Download
memory/5020-21-0x00000204F11E0000-0x00000204F11E2000-memory.dmp

Filesize
8KB

Download
memory/5020-29-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-20-0x00000204F10C0000-0x00000204F10C2000-memory.dmp

Filesize
8KB

Download
memory/5020-0-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/5020-22-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-23-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-25-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-18-0x00000204F0190000-0x00000204F01E8000-memory.dmp

Filesize
352KB

Download
memory/5020-9-0x00000204AAD20000-0x00000204AAF0D000-memory.dmp

Filesize
1.9MB

Download
memory/5020-19-0x00000204F0830000-0x00000204F0888000-memory.dmp

Filesize
352KB

Download
memory/5020-31-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-33-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-34-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-35-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-36-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-37-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-38-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download
memory/5020-39-0x0000000065000000-0x0000000066556000-memory.dmp

Filesize
21.3MB

Download