Overview

overview

7

Static

static

Parking_Re...oc.lnk

windows7_x64

3

Parking_Re...oc.lnk

windows10-2004_x64

7

Analysis

  • max time kernel
    35s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    02-06-2022 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Parking_Receipt_5.doc.lnk

  • Size

    9KB

  • MD5

    2ef37d3814879f5c1e57bbb61642e6f7

  • SHA1

    a8ead0c5e0b5e150f9f8945065e151434991123f

  • SHA256

    eb17b9b7a32be1e5056b599e859e3bf46b0c55fd7334775f5b3548f49a74d8ce

  • SHA512

    bbd46965cdf208d97fa2093f19d4eb1a05ebc4fff2885f9c75cbc345b7009ff30b6e3d8b2d14b3486aeda7be6c754946bdcec5b034db78888773933eff91b9a0

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Parking_Receipt_5.doc.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c zlAIE & (findstr "execu.*" Parking_Receipt_5.doc.lnk > "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs" & "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs") & yJYAz
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\system32\findstr.exe
        findstr "execu.*" Parking_Receipt_5.doc.lnk
        3⤵
          PID:1704
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs"
          3⤵
            PID:1012

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gnzoM.vbs
        Filesize

        7KB

        MD5

        0ccb5ac219b4bca69895368631d4d951

        SHA1

        9d27df981760e94871b5bd9850fe4ce95ed11ede

        SHA256

        c6e8e7340deba567e9e908ec7e909b669882bde38690cf372bdcdfa2eb77bc99

        SHA512

        43fb935c8075820e2f68c0eb345c02c6588cd0f1355da94865cb683bd5964783ebfc8d3182285d2fd09fd8779e62166873dd9965e742e1b6b0e291e1bda9e87a

        Download Submit
      • memory/1012-120-0x0000000000000000-mapping.dmp
        Download
      • memory/1420-54-0x000007FEFB611000-0x000007FEFB613000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1484-88-0x0000000000000000-mapping.dmp
        Download
      • memory/1704-92-0x0000000000000000-mapping.dmp
        Download