Analysis

  • max time kernel
    46s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-04-2022 21:50

General

  • Target

    INV 2022-04-22_1538, US.doc.lnk

  • Size

    3KB

  • MD5

    acbbc946a9441b52cc8cd84292977931

  • SHA1

    232258201e20b9b256a64987227148095aa2954b

  • SHA256

    082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203

  • SHA512

    0fb9d77e80b9e0d6c0e3082f289f7f27a0f19747dbc8d69ae6a8935bf91668905a161364f8f468864156989ecb05b03291cfe11a8541d9f26cb2f56718972a22

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\INV 2022-04-22_1538, US.doc.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /v:on /c findstr "rSIPPswjwCtKoZy.*" Password2.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs" & "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:272
      • C:\Windows\system32\findstr.exe
        findstr "rSIPPswjwCtKoZy.*" Password2.doc.lnk
        3⤵
          PID:848
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VEuIqlISMa.vbs"
          3⤵
            PID:996

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/852-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

        Filesize

        8KB