498eca7b6895533bfe4d6eb3132d5c8f3188ec13756bf20a79b5eada2c916291

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 15:28

Target

2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe
Size

189KB
MD5

2b97cbe9755b123e26c0904b9b668a84
SHA1

fbe5e0b1e19931e0a7b9e0c87d6bbf0c63d7c471
SHA256

498eca7b6895533bfe4d6eb3132d5c8f3188ec13756bf20a79b5eada2c916291
SHA512

6f87b741acfc76d23fa68467968fa189bcd14f70918c99c4eb8ca0410f7554bcf0e2b2a80a78ae760987ce37587808a1e8f732dc9e0913fdad4b3ed3eb591455
SSDEEP

3072:lVkukYegjaTKChZJ2c7UTyE0HUTdlsBib/BOVLiNhx9/cySHgGtbgX:Aukqenv1ZE0Hswib5OghxehV1g

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
4612	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3392	2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe
3392	2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4612	3392	2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe	87
PID 3392 wrote to memory of 4612	3392	2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe	87
PID 3392 wrote to memory of 4612	3392	2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe	87
PID 3392 wrote to memory of 3684	3392	2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe	88
PID 3392 wrote to memory of 3684	3392	2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe	88
PID 3392 wrote to memory of 3684	3392	2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2b97cbe9755b123e26c0904b9b668a84_mafia_JC.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3684

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\HWID.txt

Filesize
271B

MD5
d8113e67552e5dbc234a129b3848f33b

SHA1
998a3a9803a1ec64e58e5d31ab8dda3e8baff88d

SHA256
f533e2ff2926a17a47e67b288946c559ce0b3b1587f34be7f577a44529cd3b35

SHA512
b9b62e88d42deb7b0f44a006a37f513a01871825f74e73ab872305a8be4fefc0e7842cedf7bbba4d1b5f7da4af7780066b96d4fce341843f54f9acbda0cae2b8

Download Submit