05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d

Analysis

max time kernel
376s
max time network
433s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 21:33

Target

05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe
Size

112KB
MD5

7706876568542419a64f5e0a48d322b1
SHA1

3b6abe527b2da5c119a452d06891566e7e01b376
SHA256

05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d
SHA512

ea878b336946fbad4229eb60207265b1c66e0f8ef7c8d3e97c61e0341e92d3307f4290abcaa0211eea95fdf435522e0c5d347bbe09c4a32764bac99559daf5f9
SSDEEP

3072:TRm3h5i0hA95TJ4tzzzzzzzzzzzzzzzzzzzzzzzzzzz+a6/md31Rq3F:TRmbic44zzzzzzzzzzzzzzzzzzzzzzzW

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4912 set thread context of 524	4912	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	82

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
1560	NOTEPAD.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
524	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe
524	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 524	4912	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	82
PID 4912 wrote to memory of 524	4912	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	82
PID 4912 wrote to memory of 524	4912	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	82
PID 4912 wrote to memory of 524	4912	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	82
PID 4912 wrote to memory of 524	4912	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	82
PID 4912 wrote to memory of 524	4912	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	82
PID 4912 wrote to memory of 524	4912	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	82
PID 4912 wrote to memory of 524	4912	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	82
PID 524 wrote to memory of 4536	524	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	83
PID 524 wrote to memory of 4536	524	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	83
PID 524 wrote to memory of 4536	524	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	83
PID 4536 wrote to memory of 1560	4536	svchost.exe	84
PID 4536 wrote to memory of 1560	4536	svchost.exe	84
PID 4536 wrote to memory of 1560	4536	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.txt

Filesize
5B

MD5
43fb2705d9766ea761f934981936503f

SHA1
c9589c81355baab345cd121a76dcd743d65e131c

SHA256
766a90366e6cac315d05afc9c97dcd6206a7f66da260dd41d209bb6ad13947e0

SHA512
ebf82587e4a8dad580b0c6c6959c73315c584cea82c41c073aab41854a44027fbc63d3f360651e726bfe71bc9e99a1b803574715e63d462f90182291ce3dfbf4

Download Submit
memory/524-132-0x0000000000000000-mapping.dmp

Download
memory/524-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/524-136-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1560-140-0x0000000000000000-mapping.dmp

Download
memory/4536-135-0x0000000000000000-mapping.dmp

Download
memory/4536-137-0x00000000001E0000-0x00000000001EE000-memory.dmp

Filesize
56KB

Download
memory/4536-138-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/4536-139-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download