b564f60fe6aa3c42836ce4bcad1c111532fa9381552af1cf07432a35325536e5 | Triage

Analysis

max time kernel
55s
max time network
64s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11/04/2023, 01:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

xzxz/a2.lnk
Size

1KB
MD5

f9c7250cdf6ee7b646d63f89ead338f9
SHA1

d3e0b9334972ebf71c56ae2ba001ffe4b54e5ba1
SHA256

2188a96244bad48d09533d88c2516917e38e4b70b679527156979b0205ddf9c8
SHA512

1f541ff7c328359fcda31dfe32ef97abc2cb5066c32e78d2c7f3cee0a80fe048b7c64eb628c4f31760322ab4207d010f8952980083824e8f96e5f476d0308a21

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2140	4604	cmd.exe	67
PID 4604 wrote to memory of 2140	4604	cmd.exe	67

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\xzxz\a2.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start __ & __\DriveMgr.exe & exit
  2⤵
  PID:2140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads