a9ffe5bb14b05e775f34f9eeff41fca89a350d49252eedae1e330e88952e7f36

Analysis

max time kernel
38s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:50

Target

Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/bootstrap.min.css
Size

118KB
MD5

5057f321f0dc85cd8da94a0c5f67a8f4
SHA1

224c9f9ad11b495358aa61dbd53e838e9b61015b
SHA256

5a3d8c05785485d36ee5c94d4681e5b1d9e4b94c5be8b5bd7b0f3168fff1bd9a
SHA512

4056508074c098e63356f88b53f8abdacae6bdd46e76e79028505be5d94ed6ec9cc6513ce2dbd1b398b23649a0e260f989b28669594df847daf3010fe296fe5d
SSDEEP

768:Xy3Gxw/Vc/QWlJxtQOIuiHlq5mzI4X8OAduFKbv2ctg2Bd8JP7ecQVvH1Fx:Jw/a1fIuiHlq5mN8lDbNmPbU

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

812 NOTEPAD.EXE

pid	process
812	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 812	2024	cmd.exe	NOTEPAD.EXE
PID 2024 wrote to memory of 812	2024	cmd.exe	NOTEPAD.EXE
PID 2024 wrote to memory of 812	2024	cmd.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\_drivers\HidCerberus.Srv\Content\dep\bootstrap.min.css
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\_drivers\HidCerberus.Srv\Content\dep\bootstrap.min.css
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:812

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/812-76-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download