cd592c969a3a940e43888a1902ec9e4605ed28676d3945ab84d72175fbc87253

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 17:45

Target

circular_29092022.pdf.lnk
Size

2KB
MD5

9401c4021ce5ae57da50eb7fddfff950
SHA1

ec7f933174448b63b979027e79192e3127c8b5f4
SHA256

7259f69b075b7d849d7d0e300fe1d63057372aaedd07223de2d6b4023f5bf48c
SHA512

5458c93f60ef207954fb17a750e692fcf738013a85d92898ea284b190aab4ce84ad4dc30a58562094567da483e041347036c1c557fd6d9c05241cb256033996e

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

NisSrv.exeAcroRd32.exe

pid process

1760 NisSrv.exe
1512 AcroRd32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1512 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NisSrv.exe

description pid process

Token: SeDebugPrivilege 1760 NisSrv.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1512 AcroRd32.exe
1512 AcroRd32.exe
1512 AcroRd32.exe
1512 AcroRd32.exe

pid	process
1760	NisSrv.exe
1512	AcroRd32.exe

pid	process
1512	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1760	NisSrv.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 832 wrote to memory of 1636	832	cmd.exe	cmd.exe
PID 832 wrote to memory of 1636	832	cmd.exe	cmd.exe
PID 832 wrote to memory of 1636	832	cmd.exe	cmd.exe
PID 1636 wrote to memory of 1760	1636	cmd.exe	NisSrv.exe
PID 1636 wrote to memory of 1760	1636	cmd.exe	NisSrv.exe
PID 1636 wrote to memory of 1760	1636	cmd.exe	NisSrv.exe
PID 1636 wrote to memory of 1760	1636	cmd.exe	NisSrv.exe
PID 1636 wrote to memory of 1512	1636	cmd.exe	AcroRd32.exe
PID 1636 wrote to memory of 1512	1636	cmd.exe	AcroRd32.exe
PID 1636 wrote to memory of 1512	1636	cmd.exe	AcroRd32.exe
PID 1636 wrote to memory of 1512	1636	cmd.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\circular_29092022.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c START /B NisSrv.exe & circular_29092022.pdf
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/832-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/1512-115-0x0000000000000000-mapping.dmp

Download
memory/1512-118-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1636-88-0x0000000000000000-mapping.dmp

Download
memory/1760-92-0x0000000000000000-mapping.dmp

Download
memory/1760-119-0x0000000001180000-0x0000000001218000-memory.dmp

Filesize
608KB

Download