Analysis

  • max time kernel
    3s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2023, 19:41

General

  • Target

    RR.lnk

  • Size

    1KB

  • MD5

    02ffb37fb80d62bccbe6013ff3d4d2f0

  • SHA1

    8f06f89e0fa1ef30b3be0637c3f9a009f8492854

  • SHA256

    acbfe9386d83f7db8529f9a5d10a0add6a26b1ee6a855210a4f4100f94dea21c

  • SHA512

    0f4883a7d35e3cee520ba8c3b78c6cf9d339cd273172f999a9d6cd4149120aca330c01c078653af99a171f7a49ddd0d61ffe2af3aab9a66421d814c923b9149e

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\polaroid.cmd
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1712
      • C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe
        vibrations\airtightness.exe -decode vibrations\croaks.sql c:\users\public\output.txt
        3⤵
          PID:1120
        • C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe
          "C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe" -decode vibrations\croaks.sql c:\users\public\output.txt
          3⤵
            PID:1340

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1712-125-0x00000000004E0000-0x00000000004E1000-memory.dmp

        Filesize

        4KB