737c8aa1e9a435f9a4041a3132ed01595139f5c1cdeff1bc3d3b0ea7b2035aa8

Analysis

max time kernel
1561s
max time network
1565s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boredape/src/css/style.css
Size

13KB
MD5

c5465108b125a2f0ebac522fce3e4dac
SHA1

26d647d5e8dd6181a44ae2c61cd920f4dc585bd4
SHA256

f6e9fdbb8d743def7d96fd9dd86085736abecfac0025a7ac0b85d020db46470d
SHA512

53401715b3a37504048eed0adda5443f38c21b70344d8107682d0d092b8ea8859b67252655fa8e2dec5a0d8978fb67b587f578a11aa26738b19a055b6c48eeaf
SSDEEP

192:DH7nV+/XXyOZtWGLRWR9XyatXydWRSdsV+oXygffXyGXycmDaOY2Xywz0DXy0Kfv:QZIG1sAP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2352	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2352	1408	cmd.exe	29
PID 1408 wrote to memory of 2352	1408	cmd.exe	29
PID 1408 wrote to memory of 2352	1408	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\boredape\src\css\style.css
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\boredape\src\css\style.css
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...