3041536c2a8e1a90ee11ba958e9ee764404a801fda04af11d256475064f752a6 | Triage

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-12-2022 23:03

Sharing

Report Analysis Logs

General

Target

unmarketable/profitable.jpg
Size

32KB
MD5

6454a93bca820a6a20180ee757b50c3a
SHA1

6888bb6b3cac89dce3de0ceff58af30006546900
SHA256

9c1d2cc3a726542b617ecf6701eba50f6fbc6a1355a0c15fc2f8b66ea8b9f372
SHA512

87ebb960a17e8abe3cbb1bb218ee0108efb11406cc708083eb2ea7ed487c8ee00866e59102a5bdb035f96cba57f77ad3fe02ba1813ccdce1678267d9d9ef73c7
SSDEEP

768:Lmh8Kr2wGmBHb2mQ7plLFx9qJiF73xfxcpsTpIHABCl:yTr2J0SmQ7ptMKxcpvHABCl

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1696 rundll32.exe

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\unmarketable\profitable.jpg
1⤵
- Suspicious use of FindShellTrayWindow
PID:1696

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download