8b3f2d121c3c544286f590c1e524b6f09c2408cb2eaba5051f71fdc8aab8c61e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wwwroot/_content/Saturn.Backend/css/swapper/base.css
Size

5KB
MD5

9f0ee3c7672419df9f115438f789ae40
SHA1

44473ee3a71515dc104e78de9d7c4ae5dc041805
SHA256

79e21bd2a40a3a29564afd81205e6d00eced82391e17a2297babcb88eacd2f7a
SHA512

8b2f65c2f81da98d6ab5b0b007e39736b603bde6e3ae834ba535c2ca49c137367ca86a3a98a1891c591cad608e6cc98596c8a5ef11585a8762d693aecc1743fd
SSDEEP

96:BvAqXkf/mJjWeN9TE9iTxU9OFU9EiSBXZXHOEA//XTl2qMAL3oRiBELLIQQrA:GUdz9TE9iTxU9z9DS5ZXOE0PTAqMALYL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2120	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3724	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2120	432	cmd.exe	88
PID 432 wrote to memory of 2120	432	cmd.exe	88

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\wwwroot\_content\Saturn.Backend\css\swapper\base.css
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wwwroot\_content\Saturn.Backend\css\swapper\base.css
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2120

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
413da4df6e807597c6c01720bb00749c

SHA1
9b323dea0cd2b6c8b60944ab613af02d145a862d

SHA256
0e852d552b6fca5d7d87ea651756e3d4c67c84c4063a7b4a4513dd6bfad9ce5a

SHA512
12b9120c619f822e0cd970700e57758e5daf5c02acb277063acf0c32b4b2f209139eb3b20d86f9e714be060cb12fd62d4f3fdf138b669b36e9407bb6a7f017d4

Download Submit
memory/3724-39-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-36-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-33-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-35-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-34-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-38-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-40-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-42-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-41-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-43-0x000001FB40D00000-0x000001FB40D01000-memory.dmp

Filesize
4KB

Download
memory/3724-32-0x000001FB40FB0000-0x000001FB40FB1000-memory.dmp

Filesize
4KB

Download
memory/3724-37-0x000001FB40FC0000-0x000001FB40FC1000-memory.dmp

Filesize
4KB

Download
memory/3724-0-0x000001FB38A40000-0x000001FB38A50000-memory.dmp

Filesize
64KB

Download
memory/3724-44-0x000001FB40CF0000-0x000001FB40CF1000-memory.dmp

Filesize
4KB

Download
memory/3724-49-0x000001FB40CF0000-0x000001FB40CF1000-memory.dmp

Filesize
4KB

Download
memory/3724-68-0x000001FB40F50000-0x000001FB40F51000-memory.dmp

Filesize
4KB

Download
memory/3724-67-0x000001FB40E40000-0x000001FB40E41000-memory.dmp

Filesize
4KB

Download
memory/3724-66-0x000001FB40E40000-0x000001FB40E41000-memory.dmp

Filesize
4KB

Download
memory/3724-64-0x000001FB40E30000-0x000001FB40E31000-memory.dmp

Filesize
4KB

Download
memory/3724-16-0x000001FB38B40000-0x000001FB38B50000-memory.dmp

Filesize
64KB

Download
memory/3724-52-0x000001FB383F0000-0x000001FB383F1000-memory.dmp

Filesize
4KB

Download
memory/3724-46-0x000001FB40D00000-0x000001FB40D01000-memory.dmp

Filesize
4KB

Download