85d84da597bba6a36e1f89b137e843a09b4022515b9bd51a53a39a97b1325826

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
04/08/2023, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Upload/admin/styles/default/forum.css
Size

1KB
MD5

7332351b160ef8b2222853c2848e25a6
SHA1

3fd9c0e73a32cab42207ea40c2ab6bcc5ff14f5c
SHA256

a4b3f0d3ea620f994b89ca55922efa44d7f152ce80e644ff25c012f7900fcf3a
SHA512

e0d0ea72187063ec5be90ce17e482eb0c9fbd2e7653d5e531a9b1b31e122057b9e2243e473b2a214bfef45b94fcf95b0ca85767c6793223d8b8c97ae9ed72f69

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2888	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2888	2828	cmd.exe	29
PID 2828 wrote to memory of 2888	2828	cmd.exe	29
PID 2828 wrote to memory of 2888	2828	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Upload\admin\styles\default\forum.css
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Upload\admin\styles\default\forum.css
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...