11bd912c5454ced0323488a0844a9c413463c759443d465e7cda28f73db75382

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe
Size

190KB
MD5

2b2a8c039a67d33ac608fe5660540063
SHA1

71088b9594deb4296b74e0c5d340b425934c366e
SHA256

11bd912c5454ced0323488a0844a9c413463c759443d465e7cda28f73db75382
SHA512

2b6167ecd95c7a6bf018e836f72614e784bb4db127f1d053c4b959f6cb378c1cb6e2d6f48e3ff2fbbd8f1538580ca9eb6286935538b2ef388b00f4157b8e0f3b
SSDEEP

3072:bD/LRRwelzjlJlBbZpz9lZoVCVBxuH1KKMuoZvVTDz4CxcUTnEv55bAe8:P/Lgep51PzCAuLyvJDMCNnA55A

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings	2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4248	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1120	2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe
1120	2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 4248	1120	2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe	86
PID 1120 wrote to memory of 4248	1120	2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe	86
PID 1120 wrote to memory of 4248	1120	2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_2b2a8c039a67d33ac608fe5660540063_mafia_JC.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HWID.txt

Filesize
271B

MD5
d12694db7bb5e8b3acb5f4980c6a7db2

SHA1
71aac29bc82c43c66427533c460ad03481f1ba9f

SHA256
87ced392234ec453b4943489c7988d324bdcbbaa3e5758d5c2dadcce2e63be8c

SHA512
15fe140287db8a322ed9a8d29998ab5daf43471f9060198405a39fc75e3f03ddeae69a6a4a9d4cb042b45b87ff02b22273c763b6527382e0c449390adc482e21

Download Submit