539fea9977fd379f54dc54c1a233f4080e50d7332db93e5a849b828918f0da57

Analysis

max time kernel
179s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trichromatic.cmd
Size

707B
MD5

197c7ea9de7e86a52cea282d65ad1555
SHA1

246a51f548ae3b30d909cf4c15156e4781cfbc79
SHA256

b794fd5c0d82860aaab8e6765281301f110809159d61d2592b280832091ac793
SHA512

60128968028b5b0d07a0fdc74707da9e7bb745ca57cdcf16c89726c03aef46f9298b93ab5cb00318e904c3c8f84697e32e7ffc86d8fc955f8426dc1f54868bec

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3688	trink.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 5100	4956	cmd.exe	79
PID 4956 wrote to memory of 5100	4956	cmd.exe	79
PID 4956 wrote to memory of 3496	4956	cmd.exe	80
PID 4956 wrote to memory of 3496	4956	cmd.exe	80
PID 4956 wrote to memory of 4300	4956	cmd.exe	81
PID 4956 wrote to memory of 4300	4956	cmd.exe	81
PID 4956 wrote to memory of 1228	4956	cmd.exe	82
PID 4956 wrote to memory of 1228	4956	cmd.exe	82
PID 4956 wrote to memory of 3688	4956	cmd.exe	83
PID 4956 wrote to memory of 3688	4956	cmd.exe	83

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\trichromatic.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo f"
  2⤵
  PID:5100
- C:\Windows\system32\xcopy.exe
  xcopy C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\trink.exe /h /s /e
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo f"
  2⤵
  PID:4300
- C:\Windows\system32\xcopy.exe
  xcopy templates786.png C:\Users\Admin\AppData\Local\Temp\19672.28885 /h /s /e
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\trink.exe
  C:\Users\Admin\AppData\Local\Temp\trink.exe C:\Users\Admin\AppData\Local\Temp\19672.28885,#1
  2⤵
  - Executes dropped EXE
  PID:3688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\trink.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
C:\Users\Admin\AppData\Local\Temp\trink.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
memory/1228-135-0x0000000000000000-mapping.dmp

Download
memory/3496-133-0x0000000000000000-mapping.dmp

Download
memory/3688-136-0x0000000000000000-mapping.dmp

Download
memory/4300-134-0x0000000000000000-mapping.dmp

Download
memory/5100-132-0x0000000000000000-mapping.dmp

Download