Analysis
-
max time kernel
46s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-04-2022 21:50
Static task
static1
Behavioral task
behavioral1
Sample
INV 2022-04-22_1538, US.doc.lnk
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INV 2022-04-22_1538, US.doc.lnk
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
INV 2022-04-22_1538, US.doc.lnk
-
Size
3KB
-
MD5
acbbc946a9441b52cc8cd84292977931
-
SHA1
232258201e20b9b256a64987227148095aa2954b
-
SHA256
082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203
-
SHA512
0fb9d77e80b9e0d6c0e3082f289f7f27a0f19747dbc8d69ae6a8935bf91668905a161364f8f468864156989ecb05b03291cfe11a8541d9f26cb2f56718972a22
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 852 wrote to memory of 272 852 cmd.exe 28 PID 852 wrote to memory of 272 852 cmd.exe 28 PID 852 wrote to memory of 272 852 cmd.exe 28 PID 272 wrote to memory of 848 272 cmd.exe 29 PID 272 wrote to memory of 848 272 cmd.exe 29 PID 272 wrote to memory of 848 272 cmd.exe 29 PID 272 wrote to memory of 996 272 cmd.exe 30 PID 272 wrote to memory of 996 272 cmd.exe 30 PID 272 wrote to memory of 996 272 cmd.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\INV 2022-04-22_1538, US.doc.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c findstr "rSIPPswjwCtKoZy.*" Password2.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs" & "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\system32\findstr.exefindstr "rSIPPswjwCtKoZy.*" Password2.doc.lnk3⤵PID:848
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs"3⤵PID:996
-
-