Analysis
-
max time kernel
40s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 23:07
Static task
static1
Behavioral task
behavioral1
Sample
768327532892733679.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
768327532892733679.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
INV871623.txt.lnk
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
INV871623.txt.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
THjkgeCbhjm.ps1
Resource
win7-20220414-en
General
-
Target
INV871623.txt.lnk
-
Size
1KB
-
MD5
7c1073209e40cb0957e097eb86ae4d79
-
SHA1
fd8b3b87f44bfef8f5a7af23adf496b5494eaf01
-
SHA256
1202a0e6d4b0282bcade76291346b5b410f05e05c978c087147a4c2006d69b42
-
SHA512
ac6b78c0657388119e3c7d70c3b708ffbdc643965dcd9d11240b96110559b5e24409bc34921fa700bdeb39c16d37b40b6c1b83420f302137a46c84ca66e61406
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 896 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 316 wrote to memory of 896 316 cmd.exe powershell.exe PID 316 wrote to memory of 896 316 cmd.exe powershell.exe PID 316 wrote to memory of 896 316 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\INV871623.txt.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file THjkgeCbhjm.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896