743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae

Analysis

max time kernel
56s
max time network
59s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27/03/2023, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae.exe
Size

2.7MB
MD5

221557c8ef2eb07dd6cbaba7a212ffe7
SHA1

ec0f4dff84dc3cfa085419f8d81ca86c409e62a2
SHA256

743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae
SHA512

dd117503f80902ab9cb0316365aa120855cd7397526fc390c93b8d3c72f509aca3777c1452b7983d66c548f1a93282a39d7f0762bc2b05c3f64a4a5438fd5f4f
SSDEEP

49152:VNUdlQKFAkGnq6nbaE4tLDHV7bmbkc+gG/VCz/fved36SMz3ES:bUjQSk4117bmbkc+gekzWd3TMz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3484	notepad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 3484	3804	743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae.exe	66
PID 3804 wrote to memory of 3484	3804	743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae.exe	66
PID 3804 wrote to memory of 3484	3804	743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae.exe	66

C:\Users\Admin\AppData\Local\Temp\743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae.exe
"C:\Users\Admin\AppData\Local\Temp\743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\hwid.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hwid.ini

Filesize
44B

MD5
65cbdf3a159574d1aea26984941c8f41

SHA1
4ba7654c2e8f4a1f04906a7c4f82e819c94815a5

SHA256
53e18a0920d6b3f250b978af74f820ce8d3d38821d1e85422fb1d97295d57868

SHA512
66cf81eb3172a0d7414f318273c71b035ebf780031231c1a5a09617c61a59b516829f8b4f1d933dc4e741569b1a39668fa9e1a889afc25d3abaf693af8691810

Download Submit