c7fa25f2c9d0c1edb55b3a214b69da8f1ae8515cdb2b15412133a6fcb643f0f6

Analysis

max time kernel
12s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/09/2022, 16:54

Target

fonts/CALISTBI.ttf
Size

82KB
MD5

b8178488b4decb255bd3094b320600ac
SHA1

315bf5a35ef284a71fd90f304767c8d90d6883cd
SHA256

9b9e45f016b013d92c3caf1985db22f85e39c8b1f208636f9ac21f9c135239ce
SHA512

3e98e8484ba5ac6c1475af24ae9ae55045511a46baf250ca36d4bb2b64e74b67e9b58a289572ee2609662685ab7218cf8fee200400a417a310bd7b82f47af1e6
SSDEEP

1536:fAsN4DofckwriM3kM+cGEGjmU+xXXXozKbR5ITHpfLR8eXHVBGgIuBoQPeV9pfrr:fT0oYiMURcGEF7x3EKfiZRrfGgIsPsD/

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 336	1988	cmd.exe	27
PID 1988 wrote to memory of 336	1988	cmd.exe	27
PID 1988 wrote to memory of 336	1988	cmd.exe	27

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fonts\CALISTBI.ttf
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\fonts\CALISTBI.ttf
  2⤵
  PID:336

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1988-54-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

Filesize
8KB

Download