Overview
overview
10Static
static
RR.lnk
windows7-x64
3RR.lnk
windows10-2004-x64
7sandstone/beeches.cmd
windows7-x64
1sandstone/beeches.cmd
windows10-2004-x64
1sandstone/gold.cmd
windows7-x64
1sandstone/gold.cmd
windows10-2004-x64
1sandstone/kilketh.dll
windows7-x64
10sandstone/kilketh.dll
windows10-2004-x64
10Analysis
-
max time kernel
41s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 12:25
Static task
static1
Behavioral task
behavioral1
Sample
RR.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RR.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
sandstone/beeches.cmd
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
sandstone/beeches.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
sandstone/gold.cmd
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
sandstone/gold.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
sandstone/kilketh.dll
Resource
win7-20221111-en
General
-
Target
RR.lnk
-
Size
1KB
-
MD5
5adfb10fa942ee453862b4adbcfbca6f
-
SHA1
d76867af1d617b82a6c2c69b43f3bcef5fedcdb2
-
SHA256
4cdbdd8e0e25072b84b74a3116f532819704a43daf567ef9230d137a11631895
-
SHA512
c79e0913d046d96cfacfd4bd345d021d9868492d4ee0c9422231daf3fc0c4b8d12fb0bf78bc410cb9c82c8dc1c5e54ff581daef5e7159cfa305d3535d3d16c4c
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
cmd.execmd.execmd.exerundll32.exedescription pid process target process PID 1140 wrote to memory of 1352 1140 cmd.exe cmd.exe PID 1140 wrote to memory of 1352 1140 cmd.exe cmd.exe PID 1140 wrote to memory of 1352 1140 cmd.exe cmd.exe PID 1352 wrote to memory of 964 1352 cmd.exe cmd.exe PID 1352 wrote to memory of 964 1352 cmd.exe cmd.exe PID 1352 wrote to memory of 964 1352 cmd.exe cmd.exe PID 964 wrote to memory of 548 964 cmd.exe replace.exe PID 964 wrote to memory of 548 964 cmd.exe replace.exe PID 964 wrote to memory of 548 964 cmd.exe replace.exe PID 964 wrote to memory of 1160 964 cmd.exe rundll32.exe PID 964 wrote to memory of 1160 964 cmd.exe rundll32.exe PID 964 wrote to memory of 1160 964 cmd.exe rundll32.exe PID 1160 wrote to memory of 900 1160 rundll32.exe rundll32.exe PID 1160 wrote to memory of 900 1160 rundll32.exe rundll32.exe PID 1160 wrote to memory of 900 1160 rundll32.exe rundll32.exe PID 1160 wrote to memory of 900 1160 rundll32.exe rundll32.exe PID 1160 wrote to memory of 900 1160 rundll32.exe rundll32.exe PID 1160 wrote to memory of 900 1160 rundll32.exe rundll32.exe PID 1160 wrote to memory of 900 1160 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sandstone\gold.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K sandstone\beeches.cmd system rundl3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\replace.exereplace C:\Windows\\system32\\rundlr32.exe C:\Users\Admin\AppData\Local\Temp /A4⤵
-
C:\Windows\system32\rundll32.exerundll32 sandstone\\kilketh.tmp,init4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 sandstone\\kilketh.tmp,init5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-90-0x0000000000000000-mapping.dmp
-
memory/900-92-0x0000000000000000-mapping.dmp
-
memory/900-93-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/964-89-0x0000000000000000-mapping.dmp
-
memory/1140-54-0x000007FEFC201000-0x000007FEFC203000-memory.dmpFilesize
8KB
-
memory/1160-91-0x0000000000000000-mapping.dmp
-
memory/1352-88-0x0000000000000000-mapping.dmp