a6ebd6f62b4ed7309d0a0dad26132adb214193231ec565697b2d014d78f21f4c

Analysis

max time kernel
84s
max time network
125s
platform
windows10_x64
resource
win10-en-20210920
submitted
19-10-2021 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Attachment.jpg.lnk
Size

1KB
MD5

e025546ff8afc85a32191af5bb32a6d5
SHA1

499ba488f9c681d239d58f7b79f3a7186cfbdd8c
SHA256

c3cb6b49bc15bd2a2acd369b8f2bc5170e27c749852a60922faf328b029f8076
SHA512

b5959d4823e270c8121dbadf45348a1c2c32c68cdde67624bb288ccdd0d97a254cb6ad3a4a9958ecac878df48d72c52afc3fe1c02cea6d92f6a57ec914746e38

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

21 3328 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3328 powershell.exe
3328 powershell.exe
3328 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3328 powershell.exe

flow	pid	process
21	3328	powershell.exe

pid	process
3328	powershell.exe
3328	powershell.exe
3328	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3328	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2384 wrote to memory of 3328	2384	cmd.exe	powershell.exe
PID 2384 wrote to memory of 3328	2384	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Attachment.jpg.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file z.ps1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3328-115-0x0000000000000000-mapping.dmp

Download
memory/3328-118-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-117-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-116-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-119-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-120-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-121-0x000001AFF9E00000-0x000001AFF9E01000-memory.dmp

Filesize
4KB

Download
memory/3328-122-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-126-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-127-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-128-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-129-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-130-0x000001AFFA1C0000-0x000001AFFA1C1000-memory.dmp

Filesize
4KB

Download
memory/3328-131-0x000001AFF7CB0000-0x000001AFF7CB2000-memory.dmp

Filesize
8KB

Download
memory/3328-132-0x000001AFF7CB3000-0x000001AFF7CB5000-memory.dmp

Filesize
8KB

Download
memory/3328-133-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-134-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-135-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-136-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-137-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-138-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-139-0x000001AFF7CB6000-0x000001AFF7CB8000-memory.dmp

Filesize
8KB

Download
memory/3328-140-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-141-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-142-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-143-0x000001AFF7A50000-0x000001AFF7A52000-memory.dmp

Filesize
8KB

Download
memory/3328-144-0x000001AFF7A50000-0x000001AFF7A55000-memory.dmp

Filesize
20KB

Download
memory/3328-145-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-146-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-147-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-148-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-149-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-150-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-151-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-152-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-153-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-154-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-155-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-156-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-157-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-158-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-159-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-160-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-161-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-162-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-163-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-164-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-165-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-166-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-167-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-168-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-169-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-170-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-171-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-172-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-173-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-174-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-175-0x000001AFF7A50000-0x000001AFF7A58000-memory.dmp

Filesize
32KB

Download
memory/3328-176-0x000001AFF7A50000-0x000001AFF7A60000-memory.dmp

Filesize
64KB

Download
memory/3328-177-0x000001AFF7A50000-0x000001AFF7A60000-memory.dmp

Filesize
64KB

Download
memory/3328-178-0x000001AFF7A50000-0x000001AFF7A60000-memory.dmp

Filesize
64KB

Download
memory/3328-179-0x000001AFF7A50000-0x000001AFF7A60000-memory.dmp

Filesize
64KB

Download
memory/3328-180-0x000001AFF7A50000-0x000001AFF7A60000-memory.dmp

Filesize
64KB

Download
memory/3328-181-0x000001AFF7A50000-0x000001AFF7A60000-memory.dmp

Filesize
64KB

Download
memory/3328-182-0x000001AFF7A50000-0x000001AFF7A60000-memory.dmp

Filesize
64KB

Download
memory/3328-223-0x000001AFF7CB8000-0x000001AFF7CB9000-memory.dmp

Filesize
4KB

Download