707e4c6d5d57fe10d244fd24f57943ac4bd01f575cafa82dcacba9ce1ca6700e

Analysis

max time kernel
27s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/05/2023, 16:03

Target

NodeBeamEditor/bin/html/css/bootstrap.min.css
Size

114KB
MD5

eedf9ee80c2faa4e1b9ab9017cdfcb88
SHA1

ed29315e0ffb3f14382431f2724235bf67f44eb3
SHA256

f04b517ba5d6a0510485689a3e42dac000f51640fd71b986804cba178eae42a5
SHA512

ff9296270da6bcc3b664ce5f9dd5715109a954fa9ac59c9845332b5edae9aecc90db3334a3434c8d4d3623c6495de04fb6b9ab3cee0803208246cc9d1b4049a1
SSDEEP

768:byzGxw/jyBQWlJxtQDINHHlgmqITm8qAdwFKbv2ctBDI35UPyu8psYvS1Ft:/w/GLiINHHlgmC8p5b5ZPUpE

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
1512	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1512	1692	cmd.exe	28
PID 1692 wrote to memory of 1512	1692	cmd.exe	28
PID 1692 wrote to memory of 1512	1692	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NodeBeamEditor\bin\html\css\bootstrap.min.css
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\NodeBeamEditor\bin\html\css\bootstrap.min.css
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1512

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact