Analysis
-
max time kernel
44s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21-09-2022 16:19
Behavioral task
behavioral1
Sample
Policy Update/Policy.pdf
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Policy Update/Policy.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Policy Update/Policy.pdf.lnk
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
Policy Update/Policy.pdf.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
Policy Update/policy.exe
Resource
win7-20220812-en
General
-
Target
Policy Update/Policy.pdf.lnk
-
Size
240KB
-
MD5
e4ba3d8f9dcd80f3716dea2b30c6aac4
-
SHA1
f1d7bcc3b09b74e2e3ce8fbf4288ee56728512e6
-
SHA256
476dce51d08f357b4f82e6ad92d01be070b3d5534541af88cdff04e38a478dcd
-
SHA512
5f8517386fcb1cacc79a936c6048c73d30ada73c6f773afd67ccd279912d845eec444f0e82bf45f3d427753f656402ad43abb3601cdcd999d829810c2ca348a3
-
SSDEEP
24:8UcJdmBlS0po4HSApA+/RXPqOY4I0WQtntzFyDvc17v/MRht1d/5zmx/:83mT7tx/iOnIcyDvc1Ofe
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
policy.exepid process 1552 policy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exepolicy.exedescription pid process target process PID 1816 wrote to memory of 1356 1816 cmd.exe cmd.exe PID 1816 wrote to memory of 1356 1816 cmd.exe cmd.exe PID 1816 wrote to memory of 1356 1816 cmd.exe cmd.exe PID 1356 wrote to memory of 1752 1356 cmd.exe policy.exe PID 1356 wrote to memory of 1752 1356 cmd.exe policy.exe PID 1356 wrote to memory of 1752 1356 cmd.exe policy.exe PID 1752 wrote to memory of 1552 1752 policy.exe policy.exe PID 1752 wrote to memory of 1552 1752 policy.exe policy.exe PID 1752 wrote to memory of 1552 1752 policy.exe policy.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Policy Update\Policy.pdf.lnk"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /q /c "policy.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Policy Update\policy.exepolicy.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Policy Update\policy.exepolicy.exe4⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI17522\python310.dllFilesize
4.3MB
MD5342ba224fe440b585db4e9d2fc9f86cd
SHA1bfa3d380231166f7c2603ca89a984a5cad9752ab
SHA256cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432
SHA512daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1
-
\Users\Admin\AppData\Local\Temp\_MEI17522\python310.dllFilesize
4.3MB
MD5342ba224fe440b585db4e9d2fc9f86cd
SHA1bfa3d380231166f7c2603ca89a984a5cad9752ab
SHA256cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432
SHA512daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1
-
memory/1356-88-0x0000000000000000-mapping.dmp
-
memory/1552-94-0x0000000000000000-mapping.dmp
-
memory/1752-92-0x0000000000000000-mapping.dmp
-
memory/1816-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmpFilesize
8KB