Overview
overview
10Static
static
Invoice-06-0922.iso
windows7_x64
3Invoice-06-0922.iso
windows10-2004_x64
31204.ps1
windows7_x64
11204.ps1
windows10-2004_x64
10Scan_314.jpg
windows7_x64
3Scan_314.jpg
windows10-2004_x64
3Scan_314.jpg.lnk
windows7_x64
3Scan_314.jpg.lnk
windows10-2004_x64
10x.txt
windows7_x64
1x.txt
windows10-2004_x64
1Analysis
-
max time kernel
37s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-06-2022 20:53
Static task
static1
Behavioral task
behavioral1
Sample
Invoice-06-0922.iso
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice-06-0922.iso
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
1204.ps1
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
1204.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Scan_314.jpg
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Scan_314.jpg
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
Scan_314.jpg.lnk
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
Scan_314.jpg.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
x.txt
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
x.txt
Resource
win10v2004-20220414-en
General
-
Target
Scan_314.jpg.lnk
-
Size
1KB
-
MD5
a43cd61911f636d590eb9a5edfc4777f
-
SHA1
419c382c0311691ee2ba00537d640500d1896366
-
SHA256
6ec963361dc22ff695854bbb3838856d78c1aef73ea07fc855b6d82b57ca51b1
-
SHA512
b8889b2f6cde2f85bdcdbe7f529bcdfb6637ec7b29c8f0d1198e954467fb404e1441195942abdb6029bdad5a224628fd05d8f6f8fe0431eb5d9bd13d2e2d7958
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 928 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1296 wrote to memory of 928 1296 cmd.exe powershell.exe PID 1296 wrote to memory of 928 1296 cmd.exe powershell.exe PID 1296 wrote to memory of 928 1296 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Scan_314.jpg.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file 1204.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928