3797d33045461d3f38719dc5a2c226a8163dc06ac0b75c2a93c54ab91f0efb5b

Analysis

max time kernel
388s
max time network
441s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15-04-2023 12:36

Target

res/Fonts/Hack-RegularOblique.ttf
Size

370KB
MD5

d5c7cd4911c672e9d0709367ad7424b4
SHA1

4c652eaa1b9c3d4ffb9b27f2f707b6a566486203
SHA256

070c03fbc989d63161b1297e556ade02e825a6c9c02c7d5dbfabba2fec4d40fa
SHA512

690bad1e65c9e3a4031d3ae517202607af8adbac6140e8dad11d88dd633622ba414db6cdcf111090989b1742df8909c646b5a6995ce6cb54ce81d416c13fa4ab
SSDEEP

6144:C2ZwwLJ4NiDdXeCtzJo1PrOTjpDmFZjVpd/7zB5WxLrU+7yRwr5RFIxHixJ8iMrk:C2ZwwLV1eCvmArU5R8OxHiYiM7S6n6BF

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings cmd.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 4204 wrote to memory of 2496 4204 cmd.exe fontview.exe
PID 4204 wrote to memory of 2496 4204 cmd.exe fontview.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	cmd.exe

description	pid	process	target process
PID 4204 wrote to memory of 2496	4204	cmd.exe	fontview.exe
PID 4204 wrote to memory of 2496	4204	cmd.exe	fontview.exe

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\res\Fonts\Hack-RegularOblique.ttf
2⤵
PID:2496

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact