Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
14-10-2022 17:45
Static task
static1
Behavioral task
behavioral1
Sample
NisSrv.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
NisSrv.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
circular_29092022.pdf
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
circular_29092022.pdf
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
circular_29092022.pdf.lnk
Resource
win7-20220901-en
General
-
Target
circular_29092022.pdf.lnk
-
Size
2KB
-
MD5
9401c4021ce5ae57da50eb7fddfff950
-
SHA1
ec7f933174448b63b979027e79192e3127c8b5f4
-
SHA256
7259f69b075b7d849d7d0e300fe1d63057372aaedd07223de2d6b4023f5bf48c
-
SHA512
5458c93f60ef207954fb17a750e692fcf738013a85d92898ea284b190aab4ce84ad4dc30a58562094567da483e041347036c1c557fd6d9c05241cb256033996e
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
Processes:
NisSrv.exeAcroRd32.exepid process 1760 NisSrv.exe 1512 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1512 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NisSrv.exedescription pid process Token: SeDebugPrivilege 1760 NisSrv.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1512 AcroRd32.exe 1512 AcroRd32.exe 1512 AcroRd32.exe 1512 AcroRd32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 832 wrote to memory of 1636 832 cmd.exe cmd.exe PID 832 wrote to memory of 1636 832 cmd.exe cmd.exe PID 832 wrote to memory of 1636 832 cmd.exe cmd.exe PID 1636 wrote to memory of 1760 1636 cmd.exe NisSrv.exe PID 1636 wrote to memory of 1760 1636 cmd.exe NisSrv.exe PID 1636 wrote to memory of 1760 1636 cmd.exe NisSrv.exe PID 1636 wrote to memory of 1760 1636 cmd.exe NisSrv.exe PID 1636 wrote to memory of 1512 1636 cmd.exe AcroRd32.exe PID 1636 wrote to memory of 1512 1636 cmd.exe AcroRd32.exe PID 1636 wrote to memory of 1512 1636 cmd.exe AcroRd32.exe PID 1636 wrote to memory of 1512 1636 cmd.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\circular_29092022.pdf.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c START /B NisSrv.exe & circular_29092022.pdf2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NisSrv.exeNisSrv.exe3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\circular_29092022.pdf"3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/832-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmpFilesize
8KB
-
memory/1512-115-0x0000000000000000-mapping.dmp
-
memory/1512-118-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/1636-88-0x0000000000000000-mapping.dmp
-
memory/1760-92-0x0000000000000000-mapping.dmp
-
memory/1760-119-0x0000000001180000-0x0000000001218000-memory.dmpFilesize
608KB