fc4e765c5e87c07643a87954ae73caf907ef1d0e14302817c206b3e15c7ac118

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2023, 16:18

Target

994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe
Size

190KB
MD5

994685ea02472ec40f8f7c0eb8a34a5c
SHA1

c64e9ec63e98c2b71512ea8dc29cedae77a4c73c
SHA256

fc4e765c5e87c07643a87954ae73caf907ef1d0e14302817c206b3e15c7ac118
SHA512

c1c9b3b7a28e7d80a2e92888b5fd19c3e0534755cec935c3606cad6e8c734c2a8c2558d3482689dd09b2edfbcd43f4b1c1914a8ad5a4e8471e4d0910838ed0c0
SSDEEP

3072:4YE3BdE+SBy+LdWkVMh7QqZrUgB4Ao5GtZoGfU9K0HEbB9Bd:4YE3BUByuz+z4gFbZss8g

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
4672	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4424	994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe
4424	994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 4672	4424	994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe	86
PID 4424 wrote to memory of 4672	4424	994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe	86
PID 4424 wrote to memory of 4672	4424	994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe	86
PID 4424 wrote to memory of 3332	4424	994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe	87
PID 4424 wrote to memory of 3332	4424	994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe	87
PID 4424 wrote to memory of 3332	4424	994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe	87

C:\Users\Admin\AppData\Local\Temp\994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\994685ea02472ec40f8f7c0eb8a34a5c_mafia_JC.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3332

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\HWID.txt

Filesize
271B

MD5
def2e02ad4f9ca4f5566a9117ea51515

SHA1
7abd0a5e83d056957c02c507cf4bed7937cade64

SHA256
4cbc71b9f1c56b08c8680448aa8e46404c8805549814d658bd5d3a6593831206

SHA512
7e2e6defe66b7ace5c2e0bf2ed25f6c683175cce706b1dcc6259ee74ab892e5ed5aff1565ddc782237493f359e63e5407748fa6d59f7536c85ec8e20d9b023c6

Download Submit