da2b5721da210937936fff0991248b7e4acc5f15a3dcbaccca28705404f2ae05

Analysis

max time kernel
52s
max time network
73s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-01-2023 16:38

Target

doc.lnk
Size

1KB
MD5

46f0b2e9fb03af73e28bff1c9d22c2bf
SHA1

5cedb40f12bbcfe46d7ffed7935ae3908ef12b23
SHA256

cf1a8acfb8dc6e9bd840d0e4e4a4e4272b376452677b66f1d49bf318166a2586
SHA512

d1e08d24141ee9bf4b065f82ad0cc6574266d232ad508294d18a931624981848b17a79ba9414f81a940053254120aff27a026b8d74ad256f1a6b3c3eee32728d

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 396	2576	cmd.exe	67
PID 2576 wrote to memory of 396	2576	cmd.exe	67
PID 396 wrote to memory of 4728	396	cmd.exe	68
PID 396 wrote to memory of 4728	396	cmd.exe	68
PID 396 wrote to memory of 3844	396	cmd.exe	69
PID 396 wrote to memory of 3844	396	cmd.exe	69

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Article.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K copy /y /b C:\Windows\System32\rundll32.exe C:\ProgramData\KIH0o7s0zWO1hL.exe
    3⤵
    PID:4728
- - C:\Windows\system32\xcopy.exe
    xcopy /h /y storage.dll C:\ProgramData
    3⤵
    PID:3844

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact