Analysis
-
max time kernel
315s -
max time network
318s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
21-11-2022 02:15
Static task
static1
Behavioral task
behavioral1
Sample
documents-8515.lnk
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
templates201.dll
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
unfeignedness_sitiophobia.png
Resource
win10-20220812-en
Behavioral task
behavioral4
Sample
yardland.cmd
Resource
win10-20220812-en
General
-
Target
documents-8515.lnk
-
Size
2KB
-
MD5
61bb624fe3454ea9c9ef8817bc3d5d97
-
SHA1
6aac8486122a53e02b3e2ee5c38287402dc98a10
-
SHA256
5ffc82a08523f91d2d7f9f63e34b0068a0bf4c4c40941399ed4489af13986191
-
SHA512
ce0289321d9c9fe64ae492e32878d523877c2a542c90f3817f3fb9ec8d78b86db67e5caada18591ab88094cd3792c3261f6440d3c41c1b70b0d545e965ec7c8b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
companionably.exepid process 3540 companionably.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1928 wrote to memory of 4868 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 4868 1928 cmd.exe cmd.exe PID 4868 wrote to memory of 4332 4868 cmd.exe cmd.exe PID 4868 wrote to memory of 4332 4868 cmd.exe cmd.exe PID 4868 wrote to memory of 3488 4868 cmd.exe xcopy.exe PID 4868 wrote to memory of 3488 4868 cmd.exe xcopy.exe PID 4868 wrote to memory of 3552 4868 cmd.exe cmd.exe PID 4868 wrote to memory of 3552 4868 cmd.exe cmd.exe PID 4868 wrote to memory of 956 4868 cmd.exe xcopy.exe PID 4868 wrote to memory of 956 4868 cmd.exe xcopy.exe PID 4868 wrote to memory of 3540 4868 cmd.exe companionably.exe PID 4868 wrote to memory of 3540 4868 cmd.exe companionably.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\documents-8515.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yardland.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵PID:4332
-
C:\Windows\system32\xcopy.exexcopy C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\companionably.exe /h /s /e3⤵PID:3488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵PID:3552
-
C:\Windows\system32\xcopy.exexcopy templates201.png C:\Users\Admin\AppData\Local\Temp\6595.5846 /h /s /e3⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\companionably.exeC:\Users\Admin\AppData\Local\Temp\companionably.exe C:\Users\Admin\AppData\Local\Temp\6595.5846,#13⤵
- Executes dropped EXE
PID:3540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\companionably.exeFilesize
67KB
MD5ecb702b8c5650381c0784f1eeabb97bc
SHA100349303c7185faf3e86df9009281cc8d5b35954
SHA2569cc4ddad2e9ae05a8c5762ba88a13c2b1ee4e25ae98ef01dd041fe35d611da87
SHA512220f136bb47a8cf8f88a3b7680e9a86eeb81aecfdc7d8b63bc6195625592e49a8c4f5aaaaced826720afb36763e9272f4a69906a2cea8b4cae3a082014a405fd
-
C:\Users\Admin\AppData\Local\Temp\companionably.exeFilesize
67KB
MD5ecb702b8c5650381c0784f1eeabb97bc
SHA100349303c7185faf3e86df9009281cc8d5b35954
SHA2569cc4ddad2e9ae05a8c5762ba88a13c2b1ee4e25ae98ef01dd041fe35d611da87
SHA512220f136bb47a8cf8f88a3b7680e9a86eeb81aecfdc7d8b63bc6195625592e49a8c4f5aaaaced826720afb36763e9272f4a69906a2cea8b4cae3a082014a405fd
-
memory/956-124-0x0000000000000000-mapping.dmp
-
memory/3488-122-0x0000000000000000-mapping.dmp
-
memory/3540-125-0x0000000000000000-mapping.dmp
-
memory/3552-123-0x0000000000000000-mapping.dmp
-
memory/4332-121-0x0000000000000000-mapping.dmp
-
memory/4868-120-0x0000000000000000-mapping.dmp