61859a2460b667071ecd47bb30206247afc972d6a02f5932d827057734347133

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2023 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newhotmail/hotmail/css/styles.css
Size

1KB
MD5

ff2e2bbf0a5b2be28dcd2be9e138f2c2
SHA1

4371c8fed104ac9467f261792a302d5e20f0df9e
SHA256

27732da9086f732dfbe7ed9dc94da532b413cf0565b2b11afcd8b09208bff464
SHA512

c1a0d2139f016b44ca12a80d22b01e67fbfb684f8fa49c69b18db1891cd1f8d8a2b87d4a22a8e5ced553300c5248eaa914fd06cb667650dcf639a494330ef50b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4024 NOTEPAD.EXE
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 4564 wrote to memory of 4024 4564 cmd.exe NOTEPAD.EXE
PID 4564 wrote to memory of 4024 4564 cmd.exe NOTEPAD.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	cmd.exe

pid	process
4024	NOTEPAD.EXE

description	pid	process	target process
PID 4564 wrote to memory of 4024	4564	cmd.exe	NOTEPAD.EXE
PID 4564 wrote to memory of 4024	4564	cmd.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\newhotmail\hotmail\css\styles.css
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\newhotmail\hotmail\css\styles.css
2⤵
- Opens file in notepad (likely ransom note)
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads