Analysis

  • max time kernel
    56s
  • max time network
    59s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/03/2023, 21:17

General

  • Target

    743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae.exe

  • Size

    2.7MB

  • MD5

    221557c8ef2eb07dd6cbaba7a212ffe7

  • SHA1

    ec0f4dff84dc3cfa085419f8d81ca86c409e62a2

  • SHA256

    743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae

  • SHA512

    dd117503f80902ab9cb0316365aa120855cd7397526fc390c93b8d3c72f509aca3777c1452b7983d66c548f1a93282a39d7f0762bc2b05c3f64a4a5438fd5f4f

  • SSDEEP

    49152:VNUdlQKFAkGnq6nbaE4tLDHV7bmbkc+gG/VCz/fved36SMz3ES:bUjQSk4117bmbkc+gekzWd3TMz

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae.exe
    "C:\Users\Admin\AppData\Local\Temp\743b95e996785ec2d54eeeaab370cba45d0ea0879e8bbd1df8e6ba40fcac36ae.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\hwid.ini
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:3484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\hwid.ini

    Filesize

    44B

    MD5

    65cbdf3a159574d1aea26984941c8f41

    SHA1

    4ba7654c2e8f4a1f04906a7c4f82e819c94815a5

    SHA256

    53e18a0920d6b3f250b978af74f820ce8d3d38821d1e85422fb1d97295d57868

    SHA512

    66cf81eb3172a0d7414f318273c71b035ebf780031231c1a5a09617c61a59b516829f8b4f1d933dc4e741569b1a39668fa9e1a889afc25d3abaf693af8691810