b1b5cfaaa8ccd872ce999c599fbd01136f01e63aec52e7070338f4a82420be7c | Triage

Analysis

max time kernel
34s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 21:03

Sharing

Report Analysis Logs

General

Target

b1b5cfaaa8ccd872ce999c599fbd01136f01e63aec52e7070338f4a82420be7c.lnk
Size

1KB
MD5

91dfdf598d88dfd265ccb4fb694793c0
SHA1

d9dce1e905abbf6255010a0cb7e87da334e5b3f8
SHA256

b1b5cfaaa8ccd872ce999c599fbd01136f01e63aec52e7070338f4a82420be7c
SHA512

857717cad2abda3a49f45c58137e3156d75e831adb94498792f9fc240d3c87945b5f31f11f18d3cd31cb5a68ae1139599b29a29b5b000e71f4551d86f22d968a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 528	1132	cmd.exe	28
PID 1132 wrote to memory of 528	1132	cmd.exe	28
PID 1132 wrote to memory of 528	1132	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\b1b5cfaaa8ccd872ce999c599fbd01136f01e63aec52e7070338f4a82420be7c.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\WINDOWS\system32\cmd.exe
  "C:\WINDOWS\system32\cmd.exe" /c start win1.vbs&start 5.doc&exit
  2⤵
  PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-54-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmp

Filesize
8KB

Download