59ddf7fd2901ffddc12d730d41a59ef51a0cf834145bcf883d8c1106b6aad0c7

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
27-06-2022 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

demand_letter.jpg.lnk
Size

1KB
MD5

d01dc2fbb602e1058ae56f07fe895513
SHA1

decf03519d25e17b858d398d299b082ecf7e1fd1
SHA256

1040fce86562017f6eea2e609d1e7a49e928d140ac0e3bb30fd290f2b29d117b
SHA512

da7e540394e342db69fefa0c84d55d20e96f4e1764bb32fd4f87bd332b22d6a8b8923453aad2ab1f478200797fbdc68b8eddb618a8e2bc8e813e9f6c1bf08365

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2044 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2044 powershell.exe

pid	process
2044	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2044	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1180 wrote to memory of 2044	1180	cmd.exe	powershell.exe
PID 1180 wrote to memory of 2044	1180	cmd.exe	powershell.exe
PID 1180 wrote to memory of 2044	1180	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\demand_letter.jpg.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file vGhhsvfLkp.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/2044-88-0x0000000000000000-mapping.dmp

Download
memory/2044-93-0x000007FEF4A90000-0x000007FEF54B3000-memory.dmp

Filesize
10.1MB

Download
memory/2044-95-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/2044-94-0x000007FEF3F30000-0x000007FEF4A8D000-memory.dmp

Filesize
11.4MB

Download
memory/2044-96-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download