Overview

overview

7

Static

static

3

ASEAN 2024.lnk

windows7-x64

3

ASEAN 2024.lnk

windows10-2004-x64

7

MS.lnk

windows7-x64

3

MS.lnk

windows10-2004-x64

7

Mofa memo.lnk

windows7-x64

3

Mofa memo.lnk

windows10-2004-x64

7

NS.lnk

windows7-x64

3

NS.lnk

windows10-2004-x64

7

_/_/_/_/_/...oy.dll

windows7-x64

3

_/_/_/_/_/...oy.dll

windows10-2004-x64

3

_/_/_/_/_/...ce.exe

windows7-x64

6

_/_/_/_/_/...ce.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mofa memo.lnk

  • Size

    1KB

  • MD5

    698382d42978ee9b86046682cacc76ab

  • SHA1

    dd149a0c4a650df907557b3c0219fde81d339d11

  • SHA256

    e537c5da268c6a08d6e94d570e8efb17d0ca3f4013e221fadc4e0b3191499767

  • SHA512

    e02706545ef29a769c73a664380d9d86f5dc75a7c377b79aa86840270ff1b38f2d4eb24c4dd640556a2b6bf740ff28654f287932bbc66f842d76bab079d9ef46

Score
7/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Binary Proxy Execution: ScriptRunner 1 TTPs 1 IoCs

    Adversaries may abuse ScriptRunner to proxy execution of malicious code.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Mofa memo.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Windows\System32\ScriptRunner.exe
      "C:\Windows\System32\ScriptRunner.exe" -appvscript _\_\_\_\_\_\_\_\_\_\_\_\office.exe
      2⤵
      • System Binary Proxy Execution: ScriptRunner
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Users\Admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\office.exe
        "C:\Users\Admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\office.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2060-0-0x00007FF9E6273000-0x00007FF9E6275000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2060-1-0x000001DB6E760000-0x000001DB6E76A000-memory.dmp

    Filesize

    40KB

    Download