8a17cdd68c836efe945abff5a3774efe2cdf4d35714fe1ead6aba692bd58e5c9

Analysis

max time kernel
151s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 09:45

Target

7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe
Size

189KB
MD5

7c8c269ee664b06908bf6575f5e1f329
SHA1

b531d3122d6842be297e09cd60b04c4083c528c4
SHA256

8a17cdd68c836efe945abff5a3774efe2cdf4d35714fe1ead6aba692bd58e5c9
SHA512

058bfd30ed97166d64ac59da7a7eeb3316d7e2a95a75546a215f7e4f92bef2fe74da4e287aa8e5a50f10f98115a33e328ba88f1b0428aa13961f9c257e7d2916
SSDEEP

3072:SnHITxpc4x6J1wvj10ugchrYBRnUf50LhFfdR09AgGtbG2:AHIpLIkjxRYBRUYhFjUAV1

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
752	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1352	7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe
1352	7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 752	1352	7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe	83
PID 1352 wrote to memory of 752	1352	7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe	83
PID 1352 wrote to memory of 752	1352	7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe	83
PID 1352 wrote to memory of 4564	1352	7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe	84
PID 1352 wrote to memory of 4564	1352	7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe	84
PID 1352 wrote to memory of 4564	1352	7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe	84

C:\Users\Admin\AppData\Local\Temp\7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7c8c269ee664b06908bf6575f5e1f329_mafia_JC.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4564

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\HWID.txt

Filesize
271B

MD5
100ddadd2e6ccef4d643bc11973a3c7a

SHA1
b6ed0172db866d3db27f9262961ef8b1a967973c

SHA256
87ef55fba286a78e5d750cd49cd01f5e12226a245ec09d712ae12417d5af10a9

SHA512
c57def479f3b893cf2e5bb394da3d91837153df93c7b8d40b60320295e25a82e1ab18a9124c3d75efbb4a18f027890f87b6f01b6f4b04d071260cdfa3d56e719

Download Submit