e9a1ce3417838013412f81425ef74a37608754586722e00cacb333ba88eb9aa7

General

Target

PRD.lnk
Size

1KB
MD5

03475b66ae9683c845b1b99c9fb7b5f1
SHA1

6ac4dd7bc3136f7b8c1b8f8b60d855a4f606bd67
SHA256

7ba64fb34d07705c909cb271df4f8ffd152618897b25e77379c836b5c57fe1b4
SHA512

ac41a57a4dd9993f53612c2a1b72c9375ced61d0f4e3b72403ce4d28d30c6353075756b439346cb7352be9656b4a54a76cc6846d3eb9f5fd0799372930240179

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
672	powershell.exe
672	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	672	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 672	1096	cmd.exe	29
PID 1096 wrote to memory of 672	1096	cmd.exe	29
PID 1096 wrote to memory of 672	1096	cmd.exe	29
PID 672 wrote to memory of 432	672	powershell.exe	30
PID 672 wrote to memory of 432	672	powershell.exe	30
PID 672 wrote to memory of 432	672	powershell.exe	30
PID 432 wrote to memory of 1496	432	csc.exe	31
PID 432 wrote to memory of 1496	432	csc.exe	31
PID 432 wrote to memory of 1496	432	csc.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PRD.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file lkndwsjds.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evxxe6ro.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3E2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF3E1.tmp"
      4⤵
      PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF3E2.tmp

Filesize
1KB

MD5
005658068217013de1f42e9abccd0b5f

SHA1
9b0e551ada61463dd8b4d709984ad04af354fa68

SHA256
93af09b100f253dac6513a4bf8496d65d8b5198248643eefc8dd8ee8da1975aa

SHA512
806dc30e47f37165984f0fcc39846c6ab49fd616ef4afd9315c806b20894753b5632b8e13debfe4ac85906196da7d02cdf0da1db0090d13a2dc5d913ee7d67c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\evxxe6ro.dll

Filesize
3KB

MD5
e4ca94e7cedea727ec5032bbdf5769f9

SHA1
069e8517f1d1e23901c946296c05776344982813

SHA256
e9f922cd4ab28a5b0e59c40895bfffddb82507e9fb35e1a6f9f5abdf0197b0f6

SHA512
56f5213392c4e92392da875a330f9aa85a505e889122a162a26769fcd3a62de32db2c91a31c499070350d357a6afcf48072962b79f1ca600842d883655f7b8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\evxxe6ro.pdb

Filesize
7KB

MD5
b91a4219f2cf031c6919e4707675c33a

SHA1
06d746c7232208a9606f8c638be82a4ed545e371

SHA256
3d26325646d566e3c5ae55ffb379f9a34a9c27e8300a1e3e887e5bcdef93afee

SHA512
4ce3af89411ccd64c5ab097855edc88cd99222530cb4e3a6f10dfd0369d83a70f838c7dd943de4f8be3057f2c7dde25089d8641d3de6ffd15f4d1d42550a0430

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF3E1.tmp

Filesize
652B

MD5
4951cb0ccee0b2f220141f97b608581a

SHA1
9ffc369c5d80dd89059ede1ab742453c21bfdf6d

SHA256
b577fdb401969ad274c07288d3a7f515b707cfa1b4cbf6a775e9c2220c883b54

SHA512
fafbfc09187a806cb851cad6cb94b7da3da13c0810bd3c2016b075c245e316a0a5022c1c61a90295e92f4a1abc41eede7fd0d654b1ef2dcf9a561e8859ffe021

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evxxe6ro.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evxxe6ro.cmdline

Filesize
309B

MD5
1bfda3798140070bce8d12f5c57f6bd3

SHA1
6e9ff41597616a029e65d8f74e59c09c359fc732

SHA256
05570688a042c77fdc4939e52890d9b4d3cdc08ca5f7da13a43a9fcdb3f275d8

SHA512
e1ac2e3b56ba858e9e056388982e5f90855cdd0b5a693202bf2e1eec280be561cda5a89ca3d19450606e99e38b6fe4883ba69d2325dd9969e19807b817ab8e04

Download Submit
memory/672-95-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/672-94-0x000007FEF3680000-0x000007FEF41DD000-memory.dmp

Filesize
11.4MB

Download
memory/672-93-0x000007FEF41E0000-0x000007FEF4C03000-memory.dmp

Filesize
10.1MB

Download
memory/672-104-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/672-105-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1096-54-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing