Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2023, 02:08

General

  • Target

    RR.lnk

  • Size

    1KB

  • MD5

    e11e154ee90f27fa17050a139523939b

  • SHA1

    20bd4d6a8e35d438d4b19c74c4a2d4fe5453fbcc

  • SHA256

    e495000b075ced39574d17076457e30f36a45ba00cb87647e481ce004d09d306

  • SHA512

    8bfde446bc0ae8501906838b1df7a6358ec060e79058c9f8bb0e8fce021c6587fa06d698141ab9f0c9abc906bf343c3a1e774e08afbfeaecde041f38d281c4b1

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\compartmentally.cmd
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe
        vibrations\disobeys.exe -decode vibrations\battlement.sql c:\users\public\output.txt
        3⤵
          PID:1000
        • C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe
          "C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe" -decode vibrations\battlement.sql c:\users\public\output.txt
          3⤵
            PID:808
          • C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe
            vibrations\disobeys.exe -decode c:\users\public\output.txt c:\users\public\output2.txt
            3⤵
              PID:1284
            • C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe
              "C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exe" -decode c:\users\public\output.txt c:\users\public\output2.txt
              3⤵
                PID:1648
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32 c:\users\public\output2.txt,N115
                3⤵
                  PID:428

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1104-125-0x0000000002180000-0x0000000002181000-memory.dmp

              Filesize

              4KB