Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-06-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
1662.ps1
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1662.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Scan_139.jpg.lnk
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Scan_139.jpg.lnk
Resource
win10v2004-20220414-en
General
-
Target
Scan_139.jpg.lnk
-
Size
1KB
-
MD5
ae4d8e1b3f31028acb611bdefbfa51b2
-
SHA1
6327c8798e529dd479e7bdd99c314867a7cccd3b
-
SHA256
f73826aa0bdf74bc777023b1e2c05fbb79194f81be1c2977af1fcbe6298740ff
-
SHA512
4bc8d72294ee65c89e0a0815321e1d67ae9f3ed43d7dd7aabc3fc05d02c766ff68664873265e3ef01e1fee12807d9b52c218d23d03b0fd91520ab853ea883557
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 948 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1784 wrote to memory of 948 1784 cmd.exe 29 PID 1784 wrote to memory of 948 1784 cmd.exe 29 PID 1784 wrote to memory of 948 1784 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Scan_139.jpg.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file 1662.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-