af1e5a35205ff695a3ef3f804d894e1479cb5c1a7f9b7c904f4b6261035fd9c3

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31/03/2023, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe
Size

2.7MB
MD5

c769d7ef70879f6622702c7b779b3116
SHA1

22759453da12d05f18a4dc343dd11eac222bcee0
SHA256

a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2
SHA512

58f69c41d2fd194421b6e334099ea9cdc9782c86efa546883440615f8cc9cd84d703ee127cd61f52b1c4697fb081410b144438113bf05c67e12934e6e47c6791
SSDEEP

49152:EntHBrqP4eKtmPua5wB/kzqCUVhs32eBKBihenM7Ng+C:+tH1qPJYczqCUVhs32F7no

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1976	notepad.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1976	2012	a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe	28
PID 2012 wrote to memory of 1976	2012	a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe	28
PID 2012 wrote to memory of 1976	2012	a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe	28
PID 2012 wrote to memory of 1976	2012	a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe	28

C:\Users\Admin\AppData\Local\Temp\a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe
"C:\Users\Admin\AppData\Local\Temp\a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\hwid.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hwid.ini

Filesize
44B

MD5
ba4ca12c75ab9285928ef58e7449a415

SHA1
ca9881d443c76c7973e780c364515c67ae7a8eff

SHA256
e43d455d9c7ec6358b620787b54c96e495bc111138d218a21661e9d26e4f82b7

SHA512
dd6f074edf6ad458f8cfef5b70d7db42567b6139866e4afa5a4695ace38302ee98a5a58477611ccd8b882d31540159a375285ac65debe73d340e65d43a9e728d

Download Submit