Analysis
-
max time kernel
35s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-06-2022 19:05
Static task
static1
Behavioral task
behavioral1
Sample
Parking_Receipt_5.doc.lnk
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Parking_Receipt_5.doc.lnk
Resource
win10v2004-20220414-en
General
-
Target
Parking_Receipt_5.doc.lnk
-
Size
9KB
-
MD5
2ef37d3814879f5c1e57bbb61642e6f7
-
SHA1
a8ead0c5e0b5e150f9f8945065e151434991123f
-
SHA256
eb17b9b7a32be1e5056b599e859e3bf46b0c55fd7334775f5b3548f49a74d8ce
-
SHA512
bbd46965cdf208d97fa2093f19d4eb1a05ebc4fff2885f9c75cbc345b7009ff30b6e3d8b2d14b3486aeda7be6c754946bdcec5b034db78888773933eff91b9a0
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1420 wrote to memory of 1484 1420 cmd.exe cmd.exe PID 1420 wrote to memory of 1484 1420 cmd.exe cmd.exe PID 1420 wrote to memory of 1484 1420 cmd.exe cmd.exe PID 1484 wrote to memory of 1704 1484 cmd.exe findstr.exe PID 1484 wrote to memory of 1704 1484 cmd.exe findstr.exe PID 1484 wrote to memory of 1704 1484 cmd.exe findstr.exe PID 1484 wrote to memory of 1012 1484 cmd.exe WScript.exe PID 1484 wrote to memory of 1012 1484 cmd.exe WScript.exe PID 1484 wrote to memory of 1012 1484 cmd.exe WScript.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Parking_Receipt_5.doc.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c zlAIE & (findstr "execu.*" Parking_Receipt_5.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs" & "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs") & yJYAz2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr "execu.*" Parking_Receipt_5.doc.lnk3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gnzoM.vbsFilesize
7KB
MD50ccb5ac219b4bca69895368631d4d951
SHA19d27df981760e94871b5bd9850fe4ce95ed11ede
SHA256c6e8e7340deba567e9e908ec7e909b669882bde38690cf372bdcdfa2eb77bc99
SHA51243fb935c8075820e2f68c0eb345c02c6588cd0f1355da94865cb683bd5964783ebfc8d3182285d2fd09fd8779e62166873dd9965e742e1b6b0e291e1bda9e87a
-
memory/1012-120-0x0000000000000000-mapping.dmp
-
memory/1420-54-0x000007FEFB611000-0x000007FEFB613000-memory.dmpFilesize
8KB
-
memory/1484-88-0x0000000000000000-mapping.dmp
-
memory/1704-92-0x0000000000000000-mapping.dmp