446d8344df2d21106b51d808ec1a24a66cf282de8a584161ac5f7e86ffb7b7bf | Triage

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 13:49

Sharing

Report Analysis Logs

General

Target

446d8344df2d21106b51d808ec1a24a66cf282de8a584161ac5f7e86ffb7b7bf.lnk
Size

800B
MD5

72191ad6fdb0a56b472342d3aac80d20
SHA1

906fc37a695fc815e5ddda626bff407ff8261796
SHA256

446d8344df2d21106b51d808ec1a24a66cf282de8a584161ac5f7e86ffb7b7bf
SHA512

80727448c47de403b3c07b660eb58e2104f8686e98ff88266ed977b8f312e722f5da30e0c63ab855e71d0d9a020b0e86827bf40c7d28159b30bd982c959993c8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 568	1048	cmd.exe	28
PID 1048 wrote to memory of 568	1048	cmd.exe	28
PID 1048 wrote to memory of 568	1048	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\446d8344df2d21106b51d808ec1a24a66cf282de8a584161ac5f7e86ffb7b7bf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" \5appa55a.ua0.p5k0fak0.pfu.kp5kku.aa0.p5k05uak.fffffk,kkkkkkkkkkkkkkk5
  2⤵
  PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download