Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-06-2022 12:15
Static task
static1
Behavioral task
behavioral1
Sample
1127.ps1
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1127.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Scan_660.jpg.lnk
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Scan_660.jpg.lnk
Resource
win10v2004-20220414-en
General
-
Target
Scan_660.jpg.lnk
-
Size
1KB
-
MD5
29cac9f4a4b2cbc6606c0a7751b8b378
-
SHA1
1d79526b5e9a77d7c4c1f6b4454a935cbee58706
-
SHA256
5d95b0022d4c258df18fd392ff033a13d21a9b78279f88fdbc04da53ca5a124d
-
SHA512
1ec8cd6845af4cfdb49570ca0f6437869f637e96f146bff76f9d1dc12ca667af5edc6c3ce8a75666a3735912ca3f58cc51af78ab3b4cbe50197b347361a3f69d
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 884 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1644 wrote to memory of 884 1644 cmd.exe 29 PID 1644 wrote to memory of 884 1644 cmd.exe 29 PID 1644 wrote to memory of 884 1644 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Scan_660.jpg.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file 1127.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884
-