f0b7f9e217f38b2e6d7c61d012bec8a8d4fb3409d2f1afdaf929f67a6d9c6b91

Analysis

max time kernel
53s
max time network
67s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22/03/2023, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0b7f9e217f38b2e6d7c61d012bec8a8d4fb3409d2f1afdaf929f67a6d9c6b91.exe
Size

2.7MB
MD5

721f17f70304915d518e18b61aabaec1
SHA1

36a1fbc9f4ef6f9491c2f1864da604379f976a02
SHA256

f0b7f9e217f38b2e6d7c61d012bec8a8d4fb3409d2f1afdaf929f67a6d9c6b91
SHA512

60c897870a64b2cb44976e569c32345c30aef2ee3621080cee4d6c53f09c958acd013497c3e63b29cfbd134bdce8d11d3451b8df985c048a19a7602c135b8809
SSDEEP

49152:DJ0887D8dfXU4fBR3+akr4UG2lWTF2X8tyzIdp+Et+f9fV4xe2Qxmy7C1SG:t0f7DDu3u4F2X8YzIdp+Et2732I/7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2532	notepad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2532	2160	f0b7f9e217f38b2e6d7c61d012bec8a8d4fb3409d2f1afdaf929f67a6d9c6b91.exe	66
PID 2160 wrote to memory of 2532	2160	f0b7f9e217f38b2e6d7c61d012bec8a8d4fb3409d2f1afdaf929f67a6d9c6b91.exe	66
PID 2160 wrote to memory of 2532	2160	f0b7f9e217f38b2e6d7c61d012bec8a8d4fb3409d2f1afdaf929f67a6d9c6b91.exe	66

C:\Users\Admin\AppData\Local\Temp\f0b7f9e217f38b2e6d7c61d012bec8a8d4fb3409d2f1afdaf929f67a6d9c6b91.exe
"C:\Users\Admin\AppData\Local\Temp\f0b7f9e217f38b2e6d7c61d012bec8a8d4fb3409d2f1afdaf929f67a6d9c6b91.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\hwid.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hwid.ini

Filesize
44B

MD5
744ead9f649a4191f64962f40439b35e

SHA1
610b72586ddb1015930e1820067bb718a248da74

SHA256
eaff27b4048efe3b656bc0875908cf780f427807613d9686e2e9e02be53b5498

SHA512
8cf5a7f24c53905ccdd92ff85487cddf5f7368655945a53ddce28612fa3235f2e2ee7e2c442336e4898bbf53723f3c433190eb50f3479f6e62cfbafbefa329ec

Download Submit