Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-03-2023 17:17
General
-
Target
d8d804dff18b504569fc3ef52a27e3710232263b928eb929731e1bd75be55b9b.exe
-
Size
2.7MB
-
MD5
004160ae8ef127850322f86fb8530895
-
SHA1
200d30ecdee4253673efa6674c72cb0df0ab87fe
-
SHA256
d8d804dff18b504569fc3ef52a27e3710232263b928eb929731e1bd75be55b9b
-
SHA512
9fdb0a1ebd9925468242a6e5b605e28147124dae6ca6993c0b14869dabbf8d286b215256785bd4e20366a93ca656f44fdbb088ea4aee95ecd44246749c0196b8
-
SSDEEP
49152:j0Sw276pOL0rAx+CG1Vu7QzVmbAQaUxqzFbAXAet2sQ8i9JWN:4eGSSZmbAQXxqzFst2sK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8d804dff18b504569fc3ef52a27e3710232263b928eb929731e1bd75be55b9b.exe"C:\Users\Admin\AppData\Local\Temp\d8d804dff18b504569fc3ef52a27e3710232263b928eb929731e1bd75be55b9b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\hwid.ini2⤵
- Opens file in notepad (likely ransom note)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44B
MD55dcbcf94feb70fb014d806809ae5c528
SHA123de440411cab205609271d875d33076d5016fac
SHA256a9e6fcbfcb9583099140447d75b6fb4ca0adc8a423056a4ee4f7a452b43e7360
SHA5122ac28bbb87c84d7039ff819a0aabde812898be09ecb63859cd143f2d3bb3b78dc1832167215771a6abe40ca89dbaf9a569938f7812c54f498b09bb68c30f79a2