Overview
overview
10Static
static
Invoice-06-1022.iso
windows7_x64
3Invoice-06-1022.iso
windows10-2004_x64
31728.ps1
windows7_x64
11728.ps1
windows10-2004_x64
8Scan_282.jpg
windows7_x64
3Scan_282.jpg
windows10-2004_x64
3Scan_282.jpg.lnk
windows7_x64
3Scan_282.jpg.lnk
windows10-2004_x64
10x.txt
windows7_x64
1x.txt
windows10-2004_x64
1Resubmissions
02-06-2022 22:15
220602-16kn1abhf3 1002-06-2022 21:45
220602-1mh13abha3 702-06-2022 21:44
220602-1ln6pabgh8 802-06-2022 21:40
220602-1jcpwabgh5 1002-06-2022 21:27
220602-1ay7hsffap 10Analysis
-
max time kernel
48s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-06-2022 21:40
Static task
static1
Behavioral task
behavioral1
Sample
Invoice-06-1022.iso
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice-06-1022.iso
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
1728.ps1
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
1728.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Scan_282.jpg
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Scan_282.jpg
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
Scan_282.jpg.lnk
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
Scan_282.jpg.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
x.txt
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
x.txt
Resource
win10v2004-20220414-en
General
-
Target
Scan_282.jpg.lnk
-
Size
1KB
-
MD5
371924fdfffd4ca69857e94260c34a74
-
SHA1
2a1dc23c24010a8b5ef3b512ea3e3c6d2f52a44b
-
SHA256
801086851a46749a95efc050102fb85b761c0ccb191dfd29ff39c6b7cacb6292
-
SHA512
f9cbf21c27cf3473a2b73141dfd728d9d8824d20afc24f4b4b93ca5bf9536bd594c7a6d4100be2a2fc9c8e4b85b9dcf9797f61f60267128ea31cb44bfb43aba0
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 392 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 392 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1936 wrote to memory of 392 1936 cmd.exe 28 PID 1936 wrote to memory of 392 1936 cmd.exe 28 PID 1936 wrote to memory of 392 1936 cmd.exe 28
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Scan_282.jpg.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file 1728.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392
-