Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24/02/2023, 02:08
Static task
static1
Behavioral task
behavioral1
Sample
RR.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RR.lnk
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
vibrations/compartmentally.cmd
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
vibrations/compartmentally.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
vibrations/disobeys.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
vibrations/disobeys.exe
Resource
win10v2004-20230220-en
General
-
Target
RR.lnk
-
Size
1KB
-
MD5
e11e154ee90f27fa17050a139523939b
-
SHA1
20bd4d6a8e35d438d4b19c74c4a2d4fe5453fbcc
-
SHA256
e495000b075ced39574d17076457e30f36a45ba00cb87647e481ce004d09d306
-
SHA512
8bfde446bc0ae8501906838b1df7a6358ec060e79058c9f8bb0e8fce021c6587fa06d698141ab9f0c9abc906bf343c3a1e774e08afbfeaecde041f38d281c4b1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1104 cmd.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1564 wrote to memory of 1104 1564 cmd.exe 28 PID 1564 wrote to memory of 1104 1564 cmd.exe 28 PID 1564 wrote to memory of 1104 1564 cmd.exe 28 PID 1564 wrote to memory of 1104 1564 cmd.exe 28 PID 1104 wrote to memory of 428 1104 cmd.exe 33 PID 1104 wrote to memory of 428 1104 cmd.exe 33 PID 1104 wrote to memory of 428 1104 cmd.exe 33 PID 1104 wrote to memory of 428 1104 cmd.exe 33 PID 1104 wrote to memory of 428 1104 cmd.exe 33 PID 1104 wrote to memory of 428 1104 cmd.exe 33 PID 1104 wrote to memory of 428 1104 cmd.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\compartmentally.cmd2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exevibrations\disobeys.exe -decode vibrations\battlement.sql c:\users\public\output.txt3⤵PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe"C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe" -decode vibrations\battlement.sql c:\users\public\output.txt3⤵PID:808
-
-
C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exevibrations\disobeys.exe -decode c:\users\public\output.txt c:\users\public\output2.txt3⤵PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe"C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe" -decode c:\users\public\output.txt c:\users\public\output2.txt3⤵PID:1648
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\users\public\output2.txt,N1153⤵PID:428
-
-