5270f742e681aec9baa479752333e1eac084ef2e7b949308ba42a3b9ebaae314 | Triage

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-12-2022 09:57

Sharing

Report Analysis Logs

General

Target

1.lnk
Size

1KB
MD5

a4437af8405dde64eb3d4a0d3a7b5e36
SHA1

1a7abe8054fd051d6d0c9fa7bfc61c2beaf9cf86
SHA256

5270f742e681aec9baa479752333e1eac084ef2e7b949308ba42a3b9ebaae314
SHA512

f68cdf6fe21622a86dbc94a824e0f4687ed6c1204d6e585cd65e208c6f3ef89592fe36134a99740d08bfde34418b155e55580fee80e83f4822b0c8aa413f8858

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1560	1720	cmd.exe	29
PID 1720 wrote to memory of 1560	1720	cmd.exe	29
PID 1720 wrote to memory of 1560	1720	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Invoice\YouContract.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
  2⤵
  PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1560-89-0x0000000000000000-mapping.dmp

Download
memory/1720-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download