f2956da25bd8b3682d6945aed72f24d8bd3198bc5eba2a4232f9cb76e254829d

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
09-06-2022 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ScannedDocuments_8080655.lnk
Size

1KB
MD5

a43c525371ce9f2fcccba240a1fc5a33
SHA1

9ec61778e8605c7bd304f84f0867ada794a2d9f0
SHA256

89532ec32e52234cef6c82443cc08d3b9461d0a87d1cde778d8b5dfe34c54022
SHA512

c405eae2c58cbca8005a4396b8572dcc7c82ba08a91b3cb83f9892b44204dfea44a8214804ed9addff6de6c21cf70888a8afc7c98cdca35681970d387780aad4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1380 wrote to memory of 896	1380	cmd.exe	rundll32.exe
PID 1380 wrote to memory of 896	1380	cmd.exe	rundll32.exe
PID 1380 wrote to memory of 896	1380	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ScannedDocuments_8080655.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" scanned.dll,DllUnregisterServer
2⤵
PID:896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/896-88-0x0000000000000000-mapping.dmp

Download
memory/1380-54-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download