Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
13-09-2022 06:43
Static task
static1
Behavioral task
behavioral1
Sample
ThankYou.html
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
assets/icon.png
Resource
win7-20220812-en
Behavioral task
behavioral3
Sample
background.html
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
background.js
Resource
win7-20220812-en
Behavioral task
behavioral5
Sample
content.js
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
manifest.json
Resource
win7-20220812-en
Behavioral task
behavioral7
Sample
style.css
Resource
win7-20220901-en
General
-
Target
style.css
-
Size
753B
-
MD5
1fa01153ea3c25a9e67fc0998df2d61c
-
SHA1
2a30cf61c05319b5fba457f67d29dc9409771a06
-
SHA256
bfaef90ad6283350e3a8e426c45342ce6ee330d39a98874f845c280a8e398eb2
-
SHA512
6754fc8c344f8317b24f0337920decd143dcaaedb3754b4f2248f862f31e835b71ede2088bf30ae3b634e0c827f82daf3a869acde560a7291f9fd5b90d0f105c
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1008 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1340 wrote to memory of 1008 1340 cmd.exe NOTEPAD.EXE PID 1340 wrote to memory of 1008 1340 cmd.exe NOTEPAD.EXE PID 1340 wrote to memory of 1008 1340 cmd.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\style.css1⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\style.css2⤵
- Opens file in notepad (likely ransom note)
PID:1008