61859a2460b667071ecd47bb30206247afc972d6a02f5932d827057734347133

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25-07-2023 11:01

Target

newhotmail/hotmail/css/styles2.css
Size

1KB
MD5

14f374ca6a431ae435e02e1e82ea0208
SHA1

2bb9d015f83b2690c3aff434e889bc9420057864
SHA256

30051b3938ad5f811dda560878c62acca73c8a4433cc12016f8b593fbf1d44b2
SHA512

78a0eaf0d7272b1986fe3778a528efe16e56912a7a0cc18aa630a6bb8d373ff3cbdf3b87a1abb8fc909372d48b1ad183e92608428c2c3edc7b4f9cd060cdee81

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2856 NOTEPAD.EXE

pid	process
2856	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2548 wrote to memory of 2856	2548	cmd.exe	NOTEPAD.EXE
PID 2548 wrote to memory of 2856	2548	cmd.exe	NOTEPAD.EXE
PID 2548 wrote to memory of 2856	2548	cmd.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\newhotmail\hotmail\css\styles2.css
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\newhotmail\hotmail\css\styles2.css
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2856

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact