97a66b7678a24099b37bd3ae59f8b0f091696394acb1628d304d8860bc6d44ff | Triage

Analysis

max time kernel
26s
max time network
29s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 17:06

Sharing

Report Analysis Logs

General

Target

97a66b7678a24099b37bd3ae59f8b0f091696394acb1628d304d8860bc6d44ff.lnk
Size

676B
MD5

0a0c0b39109f2566c5d2d113fd304060
SHA1

c22c41725a1aa0db7dcc99f9b0da9efa5fc7986f
SHA256

97a66b7678a24099b37bd3ae59f8b0f091696394acb1628d304d8860bc6d44ff
SHA512

dfdff8a54c829283f9d924567f16d2dbbb33b6fa43c73c52043dcc9b968645bb9ba63659a4f50fa446bacaf7586fd75cae4fbd3015f5a2dabb51cf03b0c99daa

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1976	1980	cmd.exe	28
PID 1980 wrote to memory of 1976	1980	cmd.exe	28
PID 1980 wrote to memory of 1976	1980	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\97a66b7678a24099b37bd3ae59f8b0f091696394acb1628d304d8860bc6d44ff.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" //e:VBScript thumb.db "Microsoft"
  2⤵
  PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-88-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x000007FEFB5F1000-0x000007FEFB5F3000-memory.dmp

Filesize
8KB

Download