61859a2460b667071ecd47bb30206247afc972d6a02f5932d827057734347133

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25-07-2023 11:01

Target

newhotmail/hotmail/css/styles.css
Size

1KB
MD5

ff2e2bbf0a5b2be28dcd2be9e138f2c2
SHA1

4371c8fed104ac9467f261792a302d5e20f0df9e
SHA256

27732da9086f732dfbe7ed9dc94da532b413cf0565b2b11afcd8b09208bff464
SHA512

c1a0d2139f016b44ca12a80d22b01e67fbfb684f8fa49c69b18db1891cd1f8d8a2b87d4a22a8e5ced553300c5248eaa914fd06cb667650dcf639a494330ef50b

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2508 NOTEPAD.EXE

pid	process
2508	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2220 wrote to memory of 2508	2220	cmd.exe	NOTEPAD.EXE
PID 2220 wrote to memory of 2508	2220	cmd.exe	NOTEPAD.EXE
PID 2220 wrote to memory of 2508	2220	cmd.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\newhotmail\hotmail\css\styles.css
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\newhotmail\hotmail\css\styles.css
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2508

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact