9d6330de26ad9a5a0ff2b3c08c5cfeaa27c3ff88abb3fff33aa28e004ebdeb71

Analysis

max time kernel
42s
max time network
136s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/10/2022, 16:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DK.lnk
Size

1KB
MD5

985079fc2814a376dd9515920d729df1
SHA1

e6ee9a1ff995b60346029fc72e8a722f4cd80638
SHA256

d86f477fae6eed053e92c99b66e314197edeccb480657799843debf8905679ae
SHA512

de953e861be7c42173805eb7047b9e153bc8e3da4aae1d7a9d136a2e8099b3033f90224da51d30b9842cc7573f4512dbfee8595ea3ce7a30f06c4c84e9de3ee7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
524	constitutionalBeeswax.com

Loads dropped DLL 1 IoCs

pid	Process
1472	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1472	968	cmd.exe	28
PID 968 wrote to memory of 1472	968	cmd.exe	28
PID 968 wrote to memory of 1472	968	cmd.exe	28
PID 1472 wrote to memory of 524	1472	cmd.exe	29
PID 1472 wrote to memory of 524	1472	cmd.exe	29
PID 1472 wrote to memory of 524	1472	cmd.exe	29
PID 524 wrote to memory of 1284	524	constitutionalBeeswax.com	30
PID 524 wrote to memory of 1284	524	constitutionalBeeswax.com	30
PID 524 wrote to memory of 1284	524	constitutionalBeeswax.com	30
PID 524 wrote to memory of 1284	524	constitutionalBeeswax.com	30
PID 524 wrote to memory of 1284	524	constitutionalBeeswax.com	30
PID 524 wrote to memory of 1284	524	constitutionalBeeswax.com	30
PID 524 wrote to memory of 1284	524	constitutionalBeeswax.com	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DK.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c moccasin\released.cmd re g
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\constitutionalBeeswax.com
    C:\Users\Admin\AppData\Local\Temp\\constitutionalBeeswax.com moccasin\dredgers.dat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\regsvr32.exe
      moccasin\dredgers.dat
      4⤵
      PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\constitutionalBeeswax.com

Filesize
19KB

MD5
59bce9f07985f8a4204f4d6554cff708

SHA1
645c424974fbe5fe7a04cac73f1c23c96e1570b8

SHA256
ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

SHA512
3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

Download Submit
\Users\Admin\AppData\Local\Temp\constitutionalBeeswax.com

Filesize
19KB

MD5
59bce9f07985f8a4204f4d6554cff708

SHA1
645c424974fbe5fe7a04cac73f1c23c96e1570b8

SHA256
ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

SHA512
3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

Download Submit
memory/968-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1284-97-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1284-98-0x0000000075060000-0x00000000750E2000-memory.dmp

Filesize
520KB

Download
memory/1284-99-0x0000000075060000-0x00000000750E2000-memory.dmp

Filesize
520KB

Download