415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919

Analysis

max time kernel
11s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:57

Target

415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe
Size

84KB
MD5

36036c5c063dc6fe281de464377cc886
SHA1

1114d6a049a292cc749a1d39e316a5275af3f76e
SHA256

415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919
SHA512

1264e41c7aa616c4bc13514b403bb29e79229ce911f2fcbd908b371dd214760ee256aed3be9641017c2746e6b0d403b717bbe86d6abdf99805c8c2e3189716f9
SSDEEP

1536:7aSftgZU0miZ0/EclO8SnehhYn0O8ctOTxPq:7aSftgZU0JkQne257ow

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

864 NOTEPAD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

436 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe

pid process

1896 415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe

pid	process
864	NOTEPAD.EXE

pid	process
436	DllHost.exe

pid	process
1896	415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe

description	pid	process	target process
PID 1896 wrote to memory of 864	1896	415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe	NOTEPAD.EXE
PID 1896 wrote to memory of 864	1896	415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe	NOTEPAD.EXE
PID 1896 wrote to memory of 864	1896	415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe	NOTEPAD.EXE
PID 1896 wrote to memory of 864	1896	415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe
"C:\Users\Admin\AppData\Local\Temp\415dcd4f9704373b5486a71daa3f7422cbd00b0b6747fc24e1b80999c7100919.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Hack.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:864

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:436

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Hack.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\images.jpg

Filesize
4KB

MD5
c1b6d323baab3fb7300b07fd12652612

SHA1
3de401eb7b5cba2a71e1d4e841b3c8829594719a

SHA256
babaca08d522bd74c49fa5e72c125805282d8cf96b9ca745ba9bb772106e6997

SHA512
ceff4780f5e8af3d1a32b6dfa3083b1973e49add08059c7fd25fec50fa068b8845bc2a192d59e25f0cb108fb4a63b0fbffd7bbcf5e9c254e7afd026b73a91074

Download Submit
memory/864-57-0x0000000000000000-mapping.dmp

Download
memory/1896-56-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download