1360b29d035673ba3c7513a9ae0078e05bc179e51880beb6648996d9f2bcfc64

Analysis

max time kernel
127s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 08:35

Target

app.4df63c69c64f6ef78419a0a528801587.css
Size

35KB
MD5

c5948e2082976d1d298eb03bca6b21ee
SHA1

c8aa44c79e4f6198890ea7d60110536b490fdb48
SHA256

d87a84fb7978b6804f9e9bf292e4e06638904e46254297504bf7fe6914d2228e
SHA512

b61b9760bbf387179c9eb33d44176423aea1f03519655da0009b6e19ad1ed391c88e0ee1aae4ba994c694d227a3833fac371a02b4333aef6b2268be40f1b41e1
SSDEEP

384:IG/kmhKTze8ykyI4hv20Vn5TLz7d151HVXZCuVeo8W8W3fqknoV6Ij+1dot2x2T3:tNoYy

Score

7^/10

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3860 NOTEPAD.EXE
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 3824 wrote to memory of 3860 3824 cmd.exe NOTEPAD.EXE
PID 3824 wrote to memory of 3860 3824 cmd.exe NOTEPAD.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	cmd.exe

pid	process
3860	NOTEPAD.EXE

description	pid	process	target process
PID 3824 wrote to memory of 3860	3824	cmd.exe	NOTEPAD.EXE
PID 3824 wrote to memory of 3860	3824	cmd.exe	NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\app.4df63c69c64f6ef78419a0a528801587.css
2⤵
- Opens file in notepad (likely ransom note)
PID:3860

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact