Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-01-2023 17:31
Static task
static1
Behavioral task
behavioral1
Sample
document01.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
document01.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
ipchains.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
ipchains.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
price.bat
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
price.bat
Resource
win10v2004-20221111-en
General
-
Target
price.bat
-
Size
2KB
-
MD5
2a677a2e87d30723a7f85db0e68246a0
-
SHA1
8d6e8fd707166f6989d025b6e47eb32251ddf007
-
SHA256
b9f0301c363e3e874f0020090db489b4621a7df827aa5202971d789f9762e145
-
SHA512
fd976416ff65521c01c7c3cb5ccc4a7ce1fe786032868ed58314b5c412fc7dd5f7bd00aaae169adf0a0be0bd6caf6b40aaa91aba6c2945670d4d4e718f0dfe56
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exedescription pid process target process PID 968 wrote to memory of 1620 968 cmd.exe cmd.exe PID 968 wrote to memory of 1620 968 cmd.exe cmd.exe PID 968 wrote to memory of 1620 968 cmd.exe cmd.exe PID 968 wrote to memory of 1628 968 cmd.exe xcopy.exe PID 968 wrote to memory of 1628 968 cmd.exe xcopy.exe PID 968 wrote to memory of 1628 968 cmd.exe xcopy.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\price.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K copy /y C:\Windows\System32\rundll32.exe C:\ProgramData\cmVhpKJSis23S.exe2⤵
-
C:\Windows\system32\xcopy.exexcopy /h /y ipchains.dll C:\ProgramData\2⤵