082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203

Analysis

Target

INV 2022-04-22_1538, US.doc.lnk
Size

3KB
MD5

acbbc946a9441b52cc8cd84292977931
SHA1

232258201e20b9b256a64987227148095aa2954b
SHA256

082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203
SHA512

0fb9d77e80b9e0d6c0e3082f289f7f27a0f19747dbc8d69ae6a8935bf91668905a161364f8f468864156989ecb05b03291cfe11a8541d9f26cb2f56718972a22

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 852 wrote to memory of 272	852	cmd.exe	cmd.exe
PID 852 wrote to memory of 272	852	cmd.exe	cmd.exe
PID 852 wrote to memory of 272	852	cmd.exe	cmd.exe
PID 272 wrote to memory of 848	272	cmd.exe	findstr.exe
PID 272 wrote to memory of 848	272	cmd.exe	findstr.exe
PID 272 wrote to memory of 848	272	cmd.exe	findstr.exe
PID 272 wrote to memory of 996	272	cmd.exe	WScript.exe
PID 272 wrote to memory of 996	272	cmd.exe	WScript.exe
PID 272 wrote to memory of 996	272	cmd.exe	WScript.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\INV 2022-04-22_1538, US.doc.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /v:on /c findstr "rSIPPswjwCtKoZy.*" Password2.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs" & "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Windows\system32\findstr.exe
    findstr "rSIPPswjwCtKoZy.*" Password2.doc.lnk
    3⤵
    PID:848
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs"
    3⤵
    PID:996

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/272-88-0x0000000000000000-mapping.dmp

Download
memory/848-90-0x0000000000000000-mapping.dmp

Download
memory/852-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/996-120-0x0000000000000000-mapping.dmp

Download