d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd.exe
Size

1.5MB
MD5

79df9ebedfcc0f5ab7fb26292591bea9
SHA1

7e7d7400256947f91ad1d548696d00cec542b640
SHA256

d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd
SHA512

73c5d16921769250b423c2c812f671019d6e7121591ad049213141f42051782351d4abfa684404b37b653cc3c082c82f6e6ab839d3c38fd5ac39469571cb9141
SSDEEP

24576:tNyPSMDpJvglAj3iGFxfMN3+zhUBIsmT2GIMGzDX:twkARFxc+zhUJI1IM6

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2000	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1196	d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd.exe
1196	d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2000	1196	d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd.exe	27
PID 1196 wrote to memory of 2000	1196	d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd.exe	27
PID 1196 wrote to memory of 2000	1196	d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd.exe	27
PID 1196 wrote to memory of 2000	1196	d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd.exe	27

C:\Users\Admin\AppData\Local\Temp\d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd.exe
"C:\Users\Admin\AppData\Local\Temp\d475eaf4ced931df4b34d3f60078ae05b5e441f7c9403f728ff5d09b092993fd.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\4.3°æ±¾¸üÐÂÈÕÖ¾.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4.3°æ±¾¸üÐÂÈÕÖ¾.txt

Filesize
129B

MD5
6b52d7f17b6c6e8fb7d6af4dfad47cbe

SHA1
662751075bb07d4d76a09c28c7e065cf366eaca7

SHA256
bc39da60b056dc73398909667c7beb504db1293c6a787f98973d96af5ef86137

SHA512
d9ad429b53ceed6576ced0599dcd312cc4e07439e07d33b636c7c38f93779f7a78e3819992f31b0b6109c00cb774f15bdd519d43e4bb7610fb2c1712611b708b

Download Submit