2b8ca80ca776c90f02c90fd7e5f55fb29a756357bd9f55c432ab81cf65c22d5a

Analysis

Target

Label_83803.txt.lnk
Size

9KB
MD5

ee4e5b2df114a4f76238a0a8b012f46c
SHA1

f082523c533b366149c2155a200bc6f7dc16ce8a
SHA256

5db9e0839d3567a3ca502874d1528d71c55fc55515efa3f2f1deaa95aea9b027
SHA512

c1262c315e4b359f7ff6175fe49f7573ebb25d0888d265b0b539fe73f5de41efa892450033b887111460cfbb4605ade8dcd2a1115884d1bb68658e0c5a4bab69

Score

8^/10

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow	pid	Process
2	1276	WScript.exe
3	1276	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	Process	procid_target
PID 1784 wrote to memory of 1212	1784	cmd.exe	28
PID 1784 wrote to memory of 1212	1784	cmd.exe	28
PID 1784 wrote to memory of 1212	1784	cmd.exe	28
PID 1212 wrote to memory of 1700	1212	cmd.exe	29
PID 1212 wrote to memory of 1700	1212	cmd.exe	29
PID 1212 wrote to memory of 1700	1212	cmd.exe	29
PID 1212 wrote to memory of 1276	1212	cmd.exe	30
PID 1212 wrote to memory of 1276	1212	cmd.exe	30
PID 1212 wrote to memory of 1276	1212	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Label_83803.txt.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /v:on /c seuhv & set "gLZKl=inds" & (f!gLZKl!tr "dfPWo.*" Label_83803.txt.lnk > "C:\Users\Admin\AppData\Local\Temp\CWnfn.vbs" & "C:\Users\Admin\AppData\Local\Temp\CWnfn.vbs") & cECVU
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\system32\findstr.exe
    findstr "dfPWo.*" Label_83803.txt.lnk
    3⤵
    PID:1700
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CWnfn.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1276

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\CWnfn.vbs

Filesize
7KB

MD5
15c05d6e53fd3d4afa06357cec5406d0

SHA1
588a7a8fe15838369ff4869b5d5db89bd43f2639

SHA256
ab1066081034eec60d076d6ef027d6e44a48a7016acf9b8ae860032f78aa72ad

SHA512
b0c01e1570b6dff9ba5aec1939a89c3c81d51db7bf22bbe82750197f58086b0b34ef6f4cb97bbab6eb926b719915a1ef63be411f5f16afe2caeb2565a72c7f02

Download Submit
memory/1212-88-0x0000000000000000-mapping.dmp

Download
memory/1276-120-0x0000000000000000-mapping.dmp

Download
memory/1700-90-0x0000000000000000-mapping.dmp

Download
memory/1784-54-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmp

Filesize
8KB

Download