Overview
overview
10Static
static
Document-1310.iso
windows7_x64
3Document-1310.iso
windows10-2004_x64
31662.ps1
windows7_x64
11662.ps1
windows10-2004_x64
10Scan_139.jpg
windows7_x64
3Scan_139.jpg
windows10-2004_x64
3Scan_139.jpg.lnk
windows7_x64
3Scan_139.jpg.lnk
windows10-2004_x64
10x.txt
windows7_x64
1x.txt
windows10-2004_x64
1Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-06-2022 19:49
Static task
static1
Behavioral task
behavioral1
Sample
Document-1310.iso
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Document-1310.iso
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
1662.ps1
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
1662.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Scan_139.jpg
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Scan_139.jpg
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
Scan_139.jpg.lnk
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
Scan_139.jpg.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
x.txt
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
x.txt
Resource
win10v2004-20220414-en
General
-
Target
Scan_139.jpg.lnk
-
Size
1KB
-
MD5
ae4d8e1b3f31028acb611bdefbfa51b2
-
SHA1
6327c8798e529dd479e7bdd99c314867a7cccd3b
-
SHA256
f73826aa0bdf74bc777023b1e2c05fbb79194f81be1c2977af1fcbe6298740ff
-
SHA512
4bc8d72294ee65c89e0a0815321e1d67ae9f3ed43d7dd7aabc3fc05d02c766ff68664873265e3ef01e1fee12807d9b52c218d23d03b0fd91520ab853ea883557
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1000 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1000 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 360 wrote to memory of 1000 360 cmd.exe powershell.exe PID 360 wrote to memory of 1000 360 cmd.exe powershell.exe PID 360 wrote to memory of 1000 360 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Scan_139.jpg.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file 1662.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-