1d3ec9cc32e182fdca13de069d4e2681a053b286f0773fbd894627bff6ab70e8

Analysis

max time kernel
315s
max time network
318s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
21-11-2022 02:15

Target

documents-8515.lnk
Size

2KB
MD5

61bb624fe3454ea9c9ef8817bc3d5d97
SHA1

6aac8486122a53e02b3e2ee5c38287402dc98a10
SHA256

5ffc82a08523f91d2d7f9f63e34b0068a0bf4c4c40941399ed4489af13986191
SHA512

ce0289321d9c9fe64ae492e32878d523877c2a542c90f3817f3fb9ec8d78b86db67e5caada18591ab88094cd3792c3261f6440d3c41c1b70b0d545e965ec7c8b

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

companionably.exe

pid process

3540 companionably.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3540	companionably.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1928 wrote to memory of 4868	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 4868	1928	cmd.exe	cmd.exe
PID 4868 wrote to memory of 4332	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 4332	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 3488	4868	cmd.exe	xcopy.exe
PID 4868 wrote to memory of 3488	4868	cmd.exe	xcopy.exe
PID 4868 wrote to memory of 3552	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 3552	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 956	4868	cmd.exe	xcopy.exe
PID 4868 wrote to memory of 956	4868	cmd.exe	xcopy.exe
PID 4868 wrote to memory of 3540	4868	cmd.exe	companionably.exe
PID 4868 wrote to memory of 3540	4868	cmd.exe	companionably.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents-8515.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yardland.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
3⤵
PID:4332

C:\Windows\system32\xcopy.exe
xcopy C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\companionably.exe /h /s /e
3⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
3⤵
PID:3552

C:\Windows\system32\xcopy.exe
xcopy templates201.png C:\Users\Admin\AppData\Local\Temp\6595.5846 /h /s /e
3⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\companionably.exe
C:\Users\Admin\AppData\Local\Temp\companionably.exe C:\Users\Admin\AppData\Local\Temp\6595.5846,#1
3⤵
- Executes dropped EXE
PID:3540

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\companionably.exe
Filesize
67KB

MD5
ecb702b8c5650381c0784f1eeabb97bc

SHA1
00349303c7185faf3e86df9009281cc8d5b35954

SHA256
9cc4ddad2e9ae05a8c5762ba88a13c2b1ee4e25ae98ef01dd041fe35d611da87

SHA512
220f136bb47a8cf8f88a3b7680e9a86eeb81aecfdc7d8b63bc6195625592e49a8c4f5aaaaced826720afb36763e9272f4a69906a2cea8b4cae3a082014a405fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\companionably.exe
Filesize
67KB

MD5
ecb702b8c5650381c0784f1eeabb97bc

SHA1
00349303c7185faf3e86df9009281cc8d5b35954

SHA256
9cc4ddad2e9ae05a8c5762ba88a13c2b1ee4e25ae98ef01dd041fe35d611da87

SHA512
220f136bb47a8cf8f88a3b7680e9a86eeb81aecfdc7d8b63bc6195625592e49a8c4f5aaaaced826720afb36763e9272f4a69906a2cea8b4cae3a082014a405fd

Download Submit
memory/956-124-0x0000000000000000-mapping.dmp

Download
memory/3488-122-0x0000000000000000-mapping.dmp

Download
memory/3540-125-0x0000000000000000-mapping.dmp

Download
memory/3552-123-0x0000000000000000-mapping.dmp

Download
memory/4332-121-0x0000000000000000-mapping.dmp

Download
memory/4868-120-0x0000000000000000-mapping.dmp

Download